application/jose+json is not supported

Question

application/jose+json is not supported

phbelitz opened this issue 9 months ago · comments

What is not working as expected?

After integrating notation-go into a Kubernetes admission controller and trying to verify the image ghcr.io/deislabs/ratify/notary-image:signed, verification fails with unable to parse the digital signature, error : signature envelope format with media type \"application/jose+json\" is not supported.

What did you expect to happen?

notation-go should support signature formats it itself created and successfully validate the signature of ghcr.io/deislabs/ratify/notary-image:signed.

How can we reproduce it?

The image ghcr.io/deislabs/ratify/notary-image:signed was used and for verification the following certificate:

Here a shortened version of the code I used (took away lots of the error handling and surrounding logic):

type NotaryV2Validator struct {
	Name        string
	Type        string
	Trust_store truststore.X509TrustStore
}

func (nv2v *NotaryV2Validator) ValidateImage(
	ctx context.Context,
	image name.Reference,
	args policy.RuleOptions,
) (string, error) {
	img, tag := transformImage(image)

	policy, _ := nv2v.setUpTrustPolicy(img, args)
	ver, _ := verifier.New(policy, nv2v.Trust_store, nil)
	remoteRepo, _ := remote.NewRepository(img + tag)
	remoteRegistry := registry.NewRepository(remoteRepo)

	desc, _ := remoteRegistry.Resolve(nv2_ctx, img+tag)
	exampleVerifyOptions := notation.VerifyOptions{
		ArtifactReference:    fmt.Sprintf("%s@%s", img, desc.Digest.String()),
		MaxSignatureAttempts: 50,
	}

	digest, _, err := notation.Verify(nv2_ctx, ver, remoteRegistry, exampleVerifyOptions)
	if err != nil {
		return "", fmt.Errorf("failed to verify image: %s", err)
	}

	return string(digest.Digest), nil
}

func (nv2v *NotaryV2Validator) setUpTrustPolicy(
	image string,
	args policy.RuleOptions,
) (*trustpolicy.Document, error) {
	// imtr stores the certificates to be used for verification
	imtr := nv2v.Trust_store.(*InMemoryTrustStore)
	// selects all the certificates to use, by an overarching policy
	trs, _ := common.GetTrustRoots(args.TrustRoots, imtr.trust_roots, true)

	return &trustpolicy.Document{
		Version: "1.0",
		TrustPolicies: []trustpolicy.TrustPolicy{
			{
				Name:           "default",
				RegistryScopes: []string{image},
				SignatureVerification: trustpolicy.SignatureVerification{
					VerificationLevel: trustpolicy.LevelStrict.Name,
				},
				TrustStores: utils.Map[common.TrustRoot, string](
					trs,
					func(tr common.TrustRoot) string {
						return fmt.Sprintf("ca:%s", tr.Name)
					},
				),
				TrustedIdentities: []string{"*"},
			},
		},
	}, nil
}

Describe your environment

Running inside a distroless/base-debian11 container. The code was compiled to a binary using Go 1.19. The container itself is running inside a Kubernetes cluster as an admission controller.

What is the version of your notation-go Library?

github.com/notaryproject/notation-go v1.0.0

Patrick Zheng · Answer 1 · Fri Sep 22 2023 10:20:19 GMT+0800 (China Standard Time)

@phbelitz I'm trying to troubleshoot the issue, could you try adding a single line in your code under import:
_ "github.com/notaryproject/notation-core-go/signature/jws".
(Note the underscore _ at the front of the import, since you are not directly using jws package, it won't stand without this underscore.) Let's see if this could fix the issue. Thanks.

Philipp Belitz · Answer 2 · Fri Sep 22 2023 15:59:51 GMT+0800 (China Standard Time)

@Two-Hearts yes, awesome. I guess i should import the _ "github.com/notaryproject/notation-core-go/signature/cose" aswell? Wasn't aware that those are necessary. Closing this as the problem was fixed.

Patrick Zheng · Answer 3 · Fri Sep 22 2023 16:27:23 GMT+0800 (China Standard Time)

I guess i should import the _ "github.com/notaryproject/notation-core-go/signature/cose" aswell?

@phbelitz Yes, since we support two signature formats at the moment. You should also import COSE as well.