UNCLASSIFIED - NO CUI

Skip to content

Revisit attestation logic in upload-to-harbor

Revisit Attestation Logic

The attestation logic we have in place currently is incomplete for a few reasons:

  1. We do not every remove existing attestations from images, which means we are currently appending duplicate prediateType attestations to attestation tags in ironbank.
  2. We have a function that we call that removes signatures from existing tags, rather than existing attestations. We shouldn't ever need to remove signatures so long as we can confirm that cosign doesn't complain about existing signatures.
  3. If the access_log is empty and we attempt to add it as an attestation, it will result in the following error:
Using payload from: access_log
Error: signing 127.0.0.1:5000/ironbank/redhat/ubi/ubi8-minimal:8.6: invalid JSON payload for predicate type https://lies.com: unexpected end of JSON input
main.go:62: error during command execution: signing 127.0.0.1:5000/ironbank/redhat/ubi/ubi8-minimal:8.6: invalid JSON payload for predicate type https://lies.com: unexpected end of JSON input

We will need to build in logic to check if the access_log is empty and skip

After some further testing, it seems as though we may run into issues running cosign clean --type attestation. Running this locally, I get the following error from registry:2:

╰─ cosign clean --type attestation 127.0.0.1:5000/ironbank/redhat/ubi/ubi8-minimal:8.6                                                                                                    ─╯
WARNING: this will remove all attestations from the image

Are you sure you want to continue? (y/[N]): y
could not delete 127.0.0.1:5000/ironbank/redhat/ubi/ubi8-minimal:sha256-545cfeac5b05fb042c30af8b304a7670af10104b67e612d33d6860a40bf50339.att from 127.0.0.1:5000/ironbank/redhat/ubi/ubi8-minimal:8.6
: DELETE http://127.0.0.1:5000/v2/ironbank/redhat/ubi/ubi8-minimal/manifests/sha256-545cfeac5b05fb042c30af8b304a7670af10104b67e612d33d6860a40bf50339.att: DIGEST_INVALID: provided digest did not match uploaded content

This may force us to use cosign attest --replace, when we're updating attestations on an existing image, which could introduce a period in which one attestation is updated, while others are not.

Our new work flow should be:

  1. promote tags
    • if this is a rescan without rebuild, this portion will not be run and the digests will be for existing images
  2. Remove function that removed signatures
  3. attach attestations with cosign attest --replace
    • even if this is an old digest (rescan without rebuild), we may still have changes to some of the attestations (hardening_manifest data may have changed), so always run, even if it's against an existing digest
    • This does not fail if no attestations already exist
  4. Sign image digest
    • even if this digest already has a signature, resign it
  5. Sign attestations cosign sign --key cosign.key $(cosign triangulate <image>@<digest> --type attestation)
    • even if the attestation tag already has a signature, resign it
Edited by Tim Seagren

UNCLASSIFIED - NO CUI