Skip to content

Discover cosign v3 NewBundleFormat for verification #1961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stealthybox wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Discover cosign v3 NewBundleFormat for verification #1961

stealthybox wants to merge 3 commits into from

Conversation

@stealthybox
Copy link
Member

@stealthybox stealthybox commented Jan 16, 2026
edited
Loading

With this change Flux can verify signatures issued from both the
cosign v2.x and v3.x CLI's when using their respective default signing settings/flags.

v2 signatures and v3 bundle signatures both function transparently.
This does require Flux to perform additional queries to the registry.

Fixes #1923
Carries on from #1924

@stealthybox
Bump cosign sdk from v2 to v3
e3971cf 
Signed-off-by: leigh capili <[email protected]>
@stealthybox
Copy link
Member Author

stealthybox commented Jan 16, 2026
edited
Loading

This quick script:
~/hack/cosign/setup.sh

  • starts registry:2 (OCI 1.0) and zot:latest (OCI 1.1)
  • creates a matrix of flux artifacts with unique ConfigMaps
  • uploads the artifacts to their respective registry
  • signs the artifacts using the appropriate cosign binary or binaries based on their name
  • configures signature settings by name

The script also does a quick crane ls of all the tags to show the cases are producing different tag data.
When attempting manual signature verification -- not all cases are valid configurations.

Using this script, you can prime the two local registries with testdata that functions with the next commit.

#!/usr/bin/env bash

docker run -d --restart=unless-stopped -p "127.0.0.1:5558:5000" --name cosign_zot ghcr.io/project-zot/zot:latest
docker run -d --restart=unless-stopped -p "127.0.0.1:5559:5000" --name cosign_registry registry:2
sleep 2

#cosign initialize --staging

echo | COSIGN_PASSWORD= cosign generate-key-pair

function mk_config() {
    name="$1"
    port="$2"

    mkdir -p $name
    kubectl create cm --dry-run=client -oyaml $name > $name/cm.yaml
    flux push artifact --path ./$name oci://localhost:$port/$name --source dev --revision $name

    v3_args=
    if [[ $name == *"envelope"* ]]; then
        v3_args="--new-bundle-format=false --use-signing-config=false"
    fi

    if [[ $name == *"v2"* ]]; then
        echo y | COSIGN_PASSWORD= flox activate -d ~/hack/cosign-v2 -- cosign sign --key cosign.key localhost:$port/$name
    fi
    if [[ $name == *"v3"* ]]; then
        echo y | COSIGN_PASSWORD= flox activate -d ~/hack/cosign-v3 -- cosign sign $v3_args --key cosign.key localhost:$port/$name
    fi

    crane ls localhost:$port/$name
}

mk_config v2-reg 5559
mk_config v2-zot 5558

mk_config v2-v3-envelope-reg 5559
mk_config v2-v3-envelope-zot 5558
mk_config v2-v3-bundle-reg 5559
mk_config v2-v3-bundle-zot 5558

mk_config v3-envelope-reg 5559
mk_config v3-envelope-zot 5558
mk_config v3-bundle-reg 5559
mk_config v3-bundle-zot 5558



echo
echo v2-reg
crane ls localhost:5559/v2-reg
echo
echo v2-zot
crane ls localhost:5558/v2-zot

echo
echo v2-v3-envelope-reg
crane ls localhost:5559/v2-v3-envelope-reg
echo
echo v2-v3-envelope-zot
crane ls localhost:5558/v2-v3-envelope-zot
echo
echo v2-v3-bundle-reg
crane ls localhost:5559/v2-v3-bundle-reg
echo
echo v2-v3-bundle-zot
crane ls localhost:5558/v2-v3-bundle-zot

echo
echo v3-envelope-reg
crane ls localhost:5559/v3-envelope-reg
echo
echo v3-envelope-zot
crane ls localhost:5558/v3-envelope-zot
echo
echo v3-bundle-reg
crane ls localhost:5559/v3-bundle-reg
echo
echo v3-bundle-zot
crane ls localhost:5558/v3-bundle-zot

@stealthybox
Copy link
Member Author

stealthybox commented Jan 16, 2026
edited
Loading

WIP tests pushed in bb1c8fb.

It passes locally! 🙂
When twiddling with it, we can also produce nice signature/bundle verification error messages, so it should also be easy to produce sad-path tests.

They are not expected to pass in CI.
The public key needs to read from the setup.sh in the previous comment and the local registries need to be running with the proper artifact and signature fixtures.

I tried using Zot pkgs to create an OCI 1.1 compliant registry:

    "zotregistry.dev/zot/v2/pkg/api"
    "zotregistry.dev/zot/v2/pkg/api/config"

but they pull in a lot of undesirable dependencies, require replaces, and the real kicker is some of the deps need CGO, so I ditched the effort of adding another testregistry.NewZot()

@stealthybox
Copy link
Member Author

stealthybox commented Jan 16, 2026

Looks like i missed this, need to fix:
https://github.com/fluxcd/source-controller/actions/runs/21077738289/job/60623771643#step:3:423

# [github.com/fluxcd/source-controller/internal/controller]
Error: vet: internal/controller/helmchart_controller_test.go:3477:102: not enough arguments in call to sign.SignCmd
	have (*"github.com/sigstore/cosign/v3/cmd/cosign/cli/options".RootOptions, "github.com/sigstore/cosign/v3/cmd/cosign/cli/options".KeyOpts, "github.com/sigstore/cosign/v3/cmd/cosign/cli/options".SignOptions, []string)
	want (context.Context, *"github.com/sigstore/cosign/v3/cmd/cosign/cli/options".RootOptions, "github.com/sigstore/cosign/v3/cmd/cosign/cli/options".KeyOpts, "github.com/sigstore/cosign/v3/cmd/cosign/cli/options".SignOptions, []string)
make: *** [Makefile:129: vet] Error 1
Error: Process completed with exit code 2.

matheuscscp
matheuscscp reviewed Jan 16, 2026
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this!

internal/oci/cosign/cosign.go
"github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/v3/pkg/cosign"
"github.com/sigstore/cosign/v3/pkg/oci"

Copy link
Member

@matheuscscp matheuscscp Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change

internal/oci/cosign/cosign.go
opts.NewBundleFormat = true
signatures, _, err = cosign.VerifyImageAttestations(ctx, ref, &opts)
}
fmt.Println(opts.NewBundleFormat, v.opts.NewBundleFormat)
Copy link
Member

@matheuscscp matheuscscp Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops

internal/oci/cosign/cosign.go
}

checkOpts := &cosign.CheckOpts{}
checkOpts.NewBundleFormat = true
Copy link
Member

@matheuscscp matheuscscp Jan 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line seems unneeded since we're assigning the value of this field for each case inside Verify()?

@stealthybox
Discover cosign v3 NewBundleFormat for verification
8f083f5 
v2 signatures and v3 bundled signatures both function transparently.
This does require additional queries to the registry.

Signed-off-by: leigh capili <[email protected]>
@stealthybox
WIP: example local test suite for cosign v2 sig and v3 bundle verific…
2f282b2 
…ation

Signed-off-by: leigh capili <[email protected]>
@stealthybox stealthybox force-pushed the cosign-v3-bundles branch 2 times, most recently from 2f282b2 to 8f083f5 Compare January 17, 2026 01:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to verify signature from cosign v3.x

3 participants

@stealthybox @matheuscscp