Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify signed: false in ACR with notation v2 #23

Open
dtzar opened this issue Jun 2, 2022 · 1 comment
Open

Clarify signed: false in ACR with notation v2 #23

dtzar opened this issue Jun 2, 2022 · 1 comment
Assignees
@yizha1

Comments

@dtzar
Copy link
Collaborator

dtzar commented Jun 2, 2022

When you remotely sign the images in ACR it adds the signature to the manifest, but it doesn't update the signed: field in the manifest. Notary v1 supports this - see Managed Signed images article.

notation sign $IMAGE
sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613
notation verify $IMAGE
sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613

However, when you run the az acr manifest - one of the fields says "signed": false.

az acr manifest show-metadata $IMAGE -o jsonc
Command group 'acr manifest' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
{
  "changeableAttributes": {
    "deleteEnabled": true,
    "listEnabled": true,
    "readEnabled": true,
    "writeEnabled": true
  },
  "createdTime": "2022-05-13T23:15:54.3478293Z",
  "digest": "sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613",
  "lastUpdateTime": "2022-05-13T23:15:54.3478293Z",
  "name": "v1",
  "quarantineState": "Passed",
  "signed": false
}

oras discover -o tree $IMAGE
daveteacr.azurecr.io/net-monitor:v1
├── signature/example
│   └── sha256:6dcae102039d2a770a0df6d20834a3506870bf88c732b5508431a04f7b4a2cfb
├── readme/example
│   └── sha256:9b575d41c5e5dfe2535a04fbfa4ad8df6b8cb2948a171370e1c6681feed3337f
├── sbom/example
│   └── sha256:b25c74b18603ce1bc92dd3c64c005538777ca7e1347d769623b7c68d93abb9d2
└── application/vnd.cncf.notary.v2.signature
    ├── sha256:7fa8ccc2cca8da0fd158f809857d1fbffac428e411f9c3fe25bc88b3393e7c5e
    ├── sha256:577b8edaa5995404b5e365acf63671dc416a34c7314fab511d2db3f5ce82148d
    └── sha256:569363022bd37dc17c95815eebd10151d4504651908b835f7970f74115386633
@dtzar
Copy link
Collaborator Author

dtzar commented Jun 2, 2022

Also see related notaryproject/specifications#161

@dtzar dtzar changed the title Support content Trust in ACR Clarify signed: false in ACR with notation v2 Oct 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yizha1 yizha1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dtzar @yizha1