The artifactType for cosign signatures is wrong

[yizha1]

The artifactType for Cosign signature should be application/vnd.dev.cosign.simplesigning.v1+json. However, the document used application/vnd.dev.cosign.artifact.sig.v1+json

[susanshi]

Hi Yi, thanks for bring this up. The artifact type string is used to match the artifact against the verifier configured. I agree in many our examples, there is a lack of standards. For example, in this learning doc , the artifact type used in the oras command is "--artifact-type example/sbom".

We should take an action here to understand what are the common attach command used (There is no enforcement that the artifact type is same as the mediaType), i also wonder if Ratify could validate signature from the with the cosign attach command

[akashsinghal]

@yizha1 Are we sure the artifactType of the cosign signature should be changed? The current cosign signatures which are pushed as Image manifest indeed have layer media type of application/vnd.dev.cosign.simplesigning.v1+json. However, the OCI 1.1 experimental implementation in cosign uses a different artifact type.

https://github.com/sigstore/cosign/blob/020f73ae08404be7b3751e9e05b3f0fff4d31a1a/internal/pkg/oci/remote/remote.go#L24

[yizha1]

@akashsinghal Here is what I did:

1. cosign generate-key-pair

2. cosign sign --key cosign.key $IMAGE --tlog-upload=false

Use "artifact Types": "application/vnd.dev.cosign.artifact.sig.v1+json" for cosign verifier config

"verifier": {
        "version": "1.0.0",
        "plugins": [
            {
                "name":"cosign",
                "artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
                "key": "/home/yizha/playground/policy/ratify/cosign.pub"
            }
        ]
    }

4. Failed
   ratify verify --config ./cosign_config.json --subject $IMAGE
   INFO[0000] selected default auth provider: dockerConfig
   INFO[0000] selected policy provider: configPolicy
   INFO[0001] Resolve of the image completed successfully the digest is sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1
   {
   "isSuccess": false,
   "verifierReports": [
   {
   "subject": "wabbitregistry.azurecr.io/nginx:v1",
   "isSuccess": false,
   "message": "verification failed: no referrers found for this artifact"
   }
   ]
   }

5. update artifactType to "application/vnd.dev.cosign.simplesigning.v1+json"

6. Successful
   ratify verify --config ./cosign_config.json --subject $IMAGE
   INFO[0000] selected default auth provider: dockerConfig
   INFO[0000] selected policy provider: configPolicy
   INFO[0001] Resolve of the image completed successfully the digest is sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1
   time="2023-11-30T14:28:33+08:00" level=info msg="selected default auth provider: dockerConfig"
   {
   "isSuccess": false,
   "verifierReports": [
   {
   "subject": "wabbitregistry.azurecr.io/nginx:v1",
   "isSuccess": true,
   "name": "cosign",
   "message": "cosign verification success. valid signatures found",
   "extensions": {
   "signatures": [
   {
   "bundleVerified": false,
   "error": {},
   "isSuccess": false,
   "signatureDigest": "sha256:dfb8f6b8d2399a6aa56a32d19a299e637570973f4b18b71af19b6d9fa0eb9fa5"
   },
   {
   "bundleVerified": false,
   "isSuccess": true,
   "signatureDigest": "sha256:dfb8f6b8d2399a6aa56a32d19a299e637570973f4b18b71af19b6d9fa0eb9fa5"
   }
   ]
   },
   "artifactType": "application/vnd.dev.cosign.simplesigning.v1+json"
   }
   ]
   }