Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Complete airgapped/offline environment required for sign and verify without doing any requests to internet #3437

Closed
jaekunchoi opened this issue Dec 15, 2023 · 7 comments
Closed

Complete airgapped/offline environment required for sign and verify without doing any requests to internet #3437

jaekunchoi opened this issue Dec 15, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@jaekunchoi
Copy link

Many companies nowadays block internet access especially for POST requests when sending any data.
Also they use private repositories in something like Artifactory.

When I run below:

cosign sign --key ./cosign.key artifactory.company.com/test-image:v1.0

and allow it to go continue, I get below:

Error: signing [artifactory.company.com/test-image:v1.0]: recursively signing: signing digest: Post https://rekor.sigstore.dev/api/v1/log/entries: POST https://rekor.sigstore.dev/api/v1/log/entries giving up after 4 attempt(s): Post https://rekor.sigstore.dev/api/v1/log/entries: Forbidden main.go:74: error during command execution: signing [artifactory.company.com/test-image:v1.0]

How can we make it so it doesn't request for rekor.sigstore.dev and also use private Artifactory rather than Dockerhub?

Thanks!
@jaekunchoi jaekunchoi added the enhancement New feature or request label Dec 15, 2023
@adrielldagasuan
Copy link

You can sign without uploading to the public rekor server by setting in --tlog-upload=false. Also, you can use a private docker repository without any issues. Just make sure you can authenticate to your private registry.

@jaekunchoi
Copy link
Author

You can sign without uploading to the public rekor server by setting in --tlog-upload=false. Also, you can use a private docker repository without any issues. Just make sure you can authenticate to your private registry.

Thanks it works! But I now have error

POST https://artifactory.company.com/v2/test/blobs/uploads/: UNAUTHORIZED: User is unauthorized to upload to aa/test/_uploads; map[]

What permissions do I need to configure in Artifactory now?

@adrielldagasuan
Copy link

If you do cosign sign --help, you'd see some options there to configure your credentials. I suppose you need to generate a token in artifactory for your user and use that instead.

    --registry-password='':
	registry basic auth password

    --registry-token='':
	registry bearer auth token

    --registry-username='':
	registry basic auth username

@jaekunchoi
Copy link
Author

If you do cosign sign --help, you'd see some options there to configure your credentials. I suppose you need to generate a token in artifactory for your user and use that instead.

    --registry-password='':
	registry basic auth password

    --registry-token='':
	registry bearer auth token

    --registry-username='':
	registry basic auth username

Thanks! It works.

I now am trying to verify with

cosign verify --key cosign.pub artifactory.com/test

but it's returning with:

Error: getting Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "https://tuf-repo-cdn.sigstore.dev/8.root.json": Forbidden
remote_status:{
  "mirror": "https://tuf-repo-cdn.sigstore.dev",
  "metadata": {}
}
main.go:74: error during command execution: getting Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "https://tuf-repo-cdn.sigstore.dev/8.root.json": Forbidden
remote_status:{
  "mirror": "https://tuf-repo-cdn.sigstore.dev",
  "metadata": {}
}

How can I verify without relying on https://tuf-repo-cdn.sigstore.dev/8.root.json ?

@jaekunchoi
Copy link
Author

Looks like we need our own STUF https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd/

Is there a way to avoid setting this up and not rely on https://tuf-repo-cdn.sigstore.dev/8.root.json ?

@haydentherapper
Copy link
Contributor

haydentherapper commented Dec 15, 2023
edited
Loading

Yep, setting the env vars from #3368 (comment) will bypass the TUF repo. Though you’ll need to think through root key rotation too.

In the near future, we will also upgrade the TUF client to have an airgapped mode.

@lmarchione-r7
Copy link

lmarchione-r7 commented Mar 12, 2024
edited
Loading

If you do cosign sign --help, you'd see some options there to configure your credentials. I suppose you need to generate a token in artifactory for your user and use that instead.

    --registry-password='':
	registry basic auth password

    --registry-token='':
	registry bearer auth token

    --registry-username='':
	registry basic auth username

Sorry to bump an old issue. I'm also getting the error UNAUTHORIZED: User is unauthorized to upload when trying to sign a multi-arch image. I don't see those basic-auth options when I run cosign sign --help. In my previous step in my CI/CD pipeline, I ran the command below to login to Artifactory and I get the return auth.go:191: logged in via /home/jenkins/.docker/config.json. What am I missing here?

echo "${ARTIFACTORY_PASSWORD}" | cosign login "${fullRepoName}" -u "${ARTIFACTORY_USERNAME}" --password-stdin

EDIT: I see that those options were introduced in 2.2.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jaekunchoi @haydentherapper @adrielldagasuan @lmarchione-r7