Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

always check remote image #543

Merged
merged 1 commit into from
Aug 15, 2021
Merged

always check remote image #543

merged 1 commit into from
Aug 15, 2021

Conversation

JimBugwadia
Copy link
Contributor

Signed-off-by: Jim Bugwadia [email protected]

Fixes #542

Remove fetch by digest, to always retrieval of the latest digest from the registry, in case an invalid digest is passed in or if the image is deleted and the signature is not.

With this change an invalid manifest error is returned when the incorrect digest is passed in:

cosign verify -key ~/cosign.pub ghcr.io/jimbugwadia/pause@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105
error: GET https://ghcr.io/v2/jimbugwadia/pause/manifests/sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105: MANIFEST_UNKNOWN: manifest unknown

Signed-off-by: Jim Bugwadia <[email protected]>
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@dlorenc dlorenc merged commit 969aa80 into sigstore:main Aug 15, 2021
@dlorenc dlorenc mentioned this pull request Aug 15, 2021
@cpanato cpanato added this to the v1.1.0 milestone Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cosign verify does not check if image digest matches the current artifact
3 participants