I use this link for image signature verification with cosign. 'cosign verify' working before pull by kubernetes. I install sigstore and create secret as below but kubernetes not create pod with signed image. I use this link but not working: https://sysdig.com/blog/secure-kubernetes-deployment-signature-verification/. Please support me:
cosign verify --key cosign.pub muradsamadov/contenttrust:signed | jq .
Verification for index.docker.io/muradsamadov/contenttrust:signed --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[
{
"critical": {
"identity": {
"docker-reference": "index.docker.io/muradsamadov/contenttrust"
},
"image": {
"docker-manifest-digest": "sha256:30e6d35703c578ee703230b9dc87ada2ba958c1928615ac8a674fcbbcbb0f281"
},
"type": "cosign container image signature"
},
"optional": {
"Bundle": {
"SignedEntryTimestamp": "MEUCIDiG6KvLgJfjQfDucJGmgoxOWU62YeMX2sPIOtm0LQ/5AiEA2R/NfnsbbTU4ofUg1B8XFQnJx+MAkzarv/Q8hAerk0c=",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3ZGYwYWJkNDVjZjZhYWEwNDFkOGY0OWMzZmU5ODFhNDYyN2I3MjhlODYyNmFlYjAyN2Y0N2VhNzk3ZTI1NDVlIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQXlvMGdVTEppWG9NcEdDOElmd1g4QlFSZlJiRHhYRC9nVy9VNnp6RmpIN0FpQThhYUx4M1VsYyt4d09nWmJkY3BvcU91T0JHb1M0M3FIQkcvcUV2am4wMWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTmxOUmRsUjNWME5OU1UxbFoycEdVelY2VG5kdWEyZDRXV041YUFweVkwVkdaMkZvUzBjcmQycFBkbTU2ZDJ4aE5HSldZVEJ6Uldad0wySlZhR3MzSzNGRmVtVjBaSGhuVFZGWVRFY3lkVlpCYUVwSGFHZEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
"integratedTime": 1686939096,
"logIndex": 24000966,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
}
}
]
k run test --image muradsamadov/contenttrust:signed -n testcontenttrust
Error from server (BadRequest): admission webhook "cosigned.sigstore.dev" denied the request: validation failed: no matching signatures:
unable to verify bundle: retrieving rekor public key: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
remote status:{
"mirror": "sigstore-tuf-root",
"metadata": {
"root.json": {
"version": 7,
"len": 5404,
"expiration": "04 Oct 23 13:08 UTC",
"error": ""
},
"snapshot.json": {
"version": 90,
"len": 2303,
"expiration": "03 Jul 23 16:03 UTC",
"error": ""
},
"targets.json": {
"version": 7,
"len": 5252,
"expiration": "04 Oct 23 13:26 UTC",
"error": ""
},
"timestamp.json": {
"version": 90,
"len": 721,
"expiration": "26 Jun 23 16:03 UTC",
"error": ""
}
}
}: spec.containers[0].image
index.docker.io/muradsamadov/contenttrust@sha256:30e6d35703c578ee703230b9dc87ada2ba958c1928615ac8a674fcbbcbb0f281
