+
Skip to content

Cannot produce attestation file from local podman image #1664

New issue
New issue
Open
Open
Cannot produce attestation file from local podman image#1664
Labels
attestationRelated to attestation featuresbugSomething isn't working
@fpoirotte

Description

@fpoirotte
fpoirotte
opened on Mar 10, 2023

What happened:

When trying to build an SBOM attestation from a local podman image (podman:localhost/test:0.0.0), an error is raised while running cosign :

$ syft attest --key /tmp/cosign.key podman:localhost/test:0.0.0 -o cyclonedx-json > /tmp/attest.json
 ✔ Loaded image            
 ✔ Parsed image            
 ⠋ Cataloging packages     [packages 0]
 ⠋ Creating attestation    [running cosign]
     ░░ Error: signing podman:localhost/test:0.0.0: parsing reference: could not parse reference: podman:localhost/test:0.0.0
     ░░ main.go:74: error during command execution: signing podman:localhost/test:0.0.0: parsing reference: could not parse reference: podman:localhost/test:0.0.0
2023/03/10 10:37:20 error during command execution: 1 error occurred:
	* unable to attest SBOM: exit status 1

The reference that is passed to cosign includes the podman: prefix, which may be incorrect (cosign accepts URIs for images, but I could not find any documentation on supported URI schemes. Hence, I'm not sure if the podman: scheme is supposed to work or not)

What you expected to happen:

I expected an SBOM attestation file to be generated.

Steps to reproduce the issue:

  • Create a dummy Containerfile : echo "FROM alpine:3.17" > /tmp/Containerfile
  • Create an image using podman/buildah : buildah bud -t localhost/test:0.0.0 /tmp/Containerfile
  • Attempt to generate an SBOM attestation : syft attest --key /tmp/cosign.key podman:localhost/test:0.0.0 -o cyclonedx-json > /tmp/attest.json

Anything else we need to know?:

n/a

Environment:

  • Output of syft version:
Application:        syft
Version:            0.74.1
JsonSchemaVersion:  7.0.1
BuildDate:          2023-03-09T13:42:25Z
GitCommit:          41cbbe09b205e3b80e8a57d4f7a509b5f938557d
GitDescription:     v0.74.1
Platform:           linux/amd64
GoVersion:          go1.19.6
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
NAME="Fedora Linux"
VERSION="37 (Workstation Edition)"
ID=fedora
VERSION_ID=37
VERSION_CODENAME=""
PLATFORM_ID="platform:f37"
PRETTY_NAME="Fedora Linux 37 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:37"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f37/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=37
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=37
SUPPORT_END=2023-11-14
VARIANT="Workstation Edition"
VARIANT_ID=workstation

Metadata

Metadata

Assignees

No one assigned

    Labels

    attestationRelated to attestation featuresbugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载