tlog-upload and new bundle format

[kholmanskikh]

Question
Hello.

What is the recommended combination of arguments to sign an image not using the new bundle format and not pushing an entry to a transactional log (it's a private repo)?

This combination of flags works for me:

cosign sign --key cosign.key --new-bundle-format=false --use-signing-config=false --tlog-upload=false <...image...>

but produces a warning:

Flag --tlog-upload has been deprecated, prefer using a --signing-config file with no transparency log services

If I create an empty config file with:

$ cosign signing-config create | tee  cosign.config
{"mediaType":"application/vnd.dev.sigstore.signingconfig.v0.2+json", "rekorTlogConfig":{}, "tsaConfig":{}}

and pass it to cosign, it fails with:

$ cosign sign --key cosign.key --new-bundle-format=false --signing-config=cosign.config --use-signing-config=false <...image...>
Error: if any flags in the group [use-signing-config signing-config] are set none of the others can be; [signing-config use-signing-config] were all set
error during command execution: if any flags in the group [use-signing-config signing-config] are set none of the others can be; [signing-config use-signing-config] were all set

Indeed passing both --signing-config and --use-signing-config=false looks rather strange, but I really struggle how to achieve that without seeing any warnings from cosign.

It's cosign v3.0.5

Thanks.

[Hayden-IO]

Drop the --new-bundle-format=false and --use-signing-config=false, then it should work without warning:

cosign sign --signing-config cosign.config --key cosign.key <image>

[kholmanskikh]

Unfortunately, it didn't help:

stas@localhost:/tmp/aa$ cosign sign --signing-config=cosign.config --key=cosign.key <...>/skholman-test-repo@sha256:9d0455b138987004f682db1a11da6924d8e06ffbd5474c27bf4797f4c9343756
Enter password for private key: 
Error: signing [<...>/skholman-test-repo@sha256:9d0455b138987004f682db1a11da6924d8e06ffbd5474c27bf4797f4c9343756]: signing digest: failed to upload manifest: PUT https://<...>/v2/<...>/skholman-test-repo/manifests/sha256:e94fe577b18ea4c35b07cf1bbe469db027190573bf584c73753ed7e73ae69761: MANIFEST_INVALID: Cannot read manifest data. Make sure it is consistent with the requirements from https://docs.docker.com/registry/spec/manifest-v2-2/ ; requestId = a5dbd45c-3332-4ff8-9b63-b0d821e83690
error during command execution: signing [<...>/skholman-test-repo@sha256:9d0455b138987004f682db1a11da6924d8e06ffbd5474c27bf4797f4c9343756]: signing digest: failed to upload manifest: PUT https://<...>/v2/<...>/skholman-test-repo/manifests/sha256:e94fe577b18ea4c35b07cf1bbe469db027190573bf584c73753ed7e73ae69761: MANIFEST_INVALID: Cannot read manifest data. Make sure it is consistent with the requirements from https://docs.docker.com/registry/spec/manifest-v2-2/ ; requestId = a5dbd45c-3332-4ff8-9b63-b0d821e83690
stas@localhost:/tmp/aa$ 

[Hayden-IO]

That is an error I haven't seen before, and unrelated to --tlog-upload. We'd need more information about what's being signed.

cc @steiza in case you've run into this error

[steiza]

Yeah, this is cosign letting you know the HTTP PUT to the container registry failed - could be that the container registry requires credentials to write to it?

[kholmanskikh]

Sorry for my late response.

I do provide valid credentials. Here are two logs with debug enabled:

cosign sign -d --signing-config=cosign.config --key cosign.key <...>/sample-repo:image
sign_log.txt

COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign -d --signing-config=cosign.config --key cosign.key <...>sample-repo:image
sign_docker_media_types.txt

Could it be that the registry simply does not accept the new bundle format?