Cosign Verification Failure After Image Transfer #4207

sarathkumarpgm · 2025-05-16T13:44:15Z

I am experiencing a Cosign verification failure after transferring a signed container image between two OCI registries hosted on different servers. While the image digest remains unchanged, the signature payload appears to be modified upon attachment, causing verification errors.

Expected behaviour

We expect the Cosign signature to remain valid after transferring the signed image to a different OCI registry. The digest should stay unchanged, and verification should succeed in target mechine

The commands used in my scenario:

`Machine 1: Docker registry

cosign sign --key cosign.key localhost:5000/my-ubuntu-4:1.0
skopeo copy --preserve-digests --src-tls-verify=false docker://localhost:5000/my-ubuntu-4:1.0 dir:/home/sarath/my-ubuntu-skopeo/
cd /home/sarath/my-ubuntu-skopeo/
cosign download signature localhost:5000/my-ubuntu-4:1.0 | jq -r '.Base64Signature' > signature.sig
cosign download signature localhost:5000/my-ubuntu-4:1.0 > payload.json
tar -cvf my-ubuntu-skopeo.tar -C /home/sarath/my-ubuntu-skopeo/ .

Machine 2: Containerd registry

tar -xvf my-ubuntu-skopeo.tar
skopeo copy --preserve-digests --dest-tls-verify=false dir:/home/sarath/dockerTest/my-ubuntu-skopeo docker://localhost:5000/my-ubuntu-4:1.0
cosign attach signature --payload payload.json --signature signature.sig localhost:5000/my-ubuntu-4:1.0

we encountered with an error:

cosign verify --key cosign.pub localhost:5000/my-ubuntu-4:1.0
Error: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest {"code":400,"message":"verifying signature: invalid signature when validating ASN.1 encoded signature"}
error during command execution: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest {"code":400,"message":"verifying signature: invalid signature when validating ASN.1 encoded signature"}

We used Skopeo to preserve the image digest, ensuring that the digest remains the same on both the source and target machines. Additionally, the signature is attached to the tag,but still facing issue

curl -X GET 'http://localhost:5000/v2/my-ubuntu-4/tags/list'

Version:
GitVersion:    v2.5.0
GitCommit:     38bb98697005cdc5c092f031594c0e45d039f4a0
GitTreeState:  clean
BuildDate:     2025-04-07T20:33:49Z
GoVersion:     go1.24.1
Compiler:      gc
Platform:      linux/amd64

The text was updated successfully, but these errors were encountered:

sarathkumarpgm · 2025-05-16T14:10:00Z

We are noticing mismatches in the signature's payload section after testing on both machines. The details are as follows:
cosign download signature localhost:5000/my-ubuntu-4:1.0

Signed machine(machine 1) 
------------------------------
{"Base64Signature":"MEQCIGnMnU8FiEcNVIgeR6HxNp4Gaqg5q0XLSNhBO5pp+QaNAiB40iDMGGQdthm8U9qQeCAzp6ecLdKCG3R/yq5S2uMa6g==","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoibG9jYWxob3N0OjUwMDAvbXktdWJ1bnR1LTQifSwiaW1hZ2UiOnsiZG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6InNoYTI1Njo4ZGE3YzM4ZjY4OGQyZDYwZmFiNTRhM2U1NmQ2OGI0ZDk2Y2EwMTdmMTNiNjJhZGQ1M2RmNTVhMWMxMWUxOWIzIn0sInR5cGUiOiJjb3NpZ24gY29udGFpbmVyIGltYWdlIHNpZ25hdHVyZSJ9LCJvcHRpb25hbCI6bnVsbH0=","Cert":null,"Chain":null,"Bundle":{"SignedEntryTimestamp":"MEUCIQC7FTse+Y2NZwG10QskYY3/416hJaxZJ4h46td2Wk3zygIgUX1hS7TPRXJjKYGe/zbXm7sL8ZNdRUYgKTiFxymvx0c=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNGMwNTIxNzZjMDRkMjkzYTg1YmZkZThiYjQ0NzQzMWFkOWNhYzExMTliNDE3YzQ0NGQwMjQ3ZTY4NmI0YmRjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR25NblU4RmlFY05WSWdlUjZIeE5wNEdhcWc1cTBYTFNOaEJPNXBwK1FhTkFpQjQwaURNR0dRZHRobThVOXFRZUNBenA2ZWNMZEtDRzNSL3lxNVMydU1hNmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGVjFCR2NEQm9NbXQzUWpWbVVXVlRTSE5XUTJ4aVRVTkpRa3hwUkFvNGFsRndSME4yZG5NMGNWRmtXRFl3V21aMlMxRnZXWFJGTDBOelZGYzVNMVJLZURseEsyVXpUWEl2U3pKb1RWQndSbTlXVUdWTFZYTm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1747378610,"logIndex":213867933,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"RFC3161Timestamp":null}

Verifying machine (machine 2)
---------------------------------
{"Base64Signature":"MEQCIGnMnU8FiEcNVIgeR6HxNp4Gaqg5q0XLSNhBO5pp+QaNAiB40iDMGGQdthm8U9qQeCAzp6ecLdKCG3R/yq5S2uMa6g==\n","Payload":"eyJCYXNlNjRTaWduYXR1cmUiOiJNRVFDSUduTW5VOEZpRWNOVklnZVI2SHhOcDRHYXFnNXEwWExTTmhCTzVwcCtRYU5BaUI0MGlETUdHUWR0aG04VTlxUWVDQXpwNmVjTGRLQ0czUi95cTVTMnVNYTZnPT0iLCJQYXlsb2FkIjoiZXlKamNtbDBhV05oYkNJNmV5SnBaR1Z1ZEdsMGVTSTZleUprYjJOclpYSXRjbVZtWlhKbGJtTmxJam9pYkc5allXeG9iM04wT2pVd01EQXZiWGt0ZFdKMWJuUjFMVFFpZlN3aWFXMWhaMlVpT25zaVpHOWphMlZ5TFcxaGJtbG1aWE4wTFdScFoyVnpkQ0k2SW5Ob1lUSTFOam80WkdFM1l6TTRaalk0T0dReVpEWXdabUZpTlRSaE0yVTFObVEyT0dJMFpEazJZMkV3TVRkbU1UTmlOakpoWkdRMU0yUm1OVFZoTVdNeE1XVXhPV0l6SW4wc0luUjVjR1VpT2lKamIzTnBaMjRnWTI5dWRHRnBibVZ5SUdsdFlXZGxJSE5wWjI1aGRIVnlaU0o5TENKdmNIUnBiMjVoYkNJNmJuVnNiSDA9IiwiQ2VydCI6bnVsbCwiQ2hhaW4iOm51bGwsIkJ1bmRsZSI6eyJTaWduZWRFbnRyeVRpbWVzdGFtcCI6Ik1FVUNJUUM3RlRzZStZMk5ad0cxMFFza1lZMy80MTZoSmF4Wko0aDQ2dGQyV2szenlnSWdVWDFoUzdUUFJYSmpLWUdlL3piWG03c0w4Wk5kUlVZZ0tUaUZ4eW12eDBjPSIsIlBheWxvYWQiOnsiYm9keSI6ImV5SmhjR2xXWlhKemFXOXVJam9pTUM0d0xqRWlMQ0pyYVc1a0lqb2lhR0Z6YUdWa2NtVnJiM0prSWl3aWMzQmxZeUk2ZXlKa1lYUmhJanA3SW1oaGMyZ2lPbnNpWVd4bmIzSnBkR2h0SWpvaWMyaGhNalUySWl3aWRtRnNkV1VpT2lJeE5HTXdOVEl4Tnpaak1EUmtNamt6WVRnMVltWmtaVGhpWWpRME56UXpNV0ZrT1dOaFl6RXhNVGxpTkRFM1l6UTBOR1F3TWpRM1pUWTRObUkwWW1SakluMTlMQ0p6YVdkdVlYUjFjbVVpT25zaVkyOXVkR1Z1ZENJNklrMUZVVU5KUjI1TmJsVTRSbWxGWTA1V1NXZGxValpJZUU1d05FZGhjV2MxY1RCWVRGTk9hRUpQTlhCd0sxRmhUa0ZwUWpRd2FVUk5SMGRSWkhSb2JUaFZPWEZSWlVOQmVuQTJaV05NWkV0RFJ6TlNMM2x4TlZNeWRVMWhObWM5UFNJc0luQjFZbXhwWTB0bGVTSTZleUpqYjI1MFpXNTBJam9pVEZNd2RFeFRNVU5TVldSS1ZHbENVVlpWU2sxVFZVMW5VekJXV2t4VE1IUk1VekJMVkZWYWNtUXdWak5YVldoTVlqRndTbVZ0YjNkUk1FWlNWMVZzVEdJeGNFcGxiVzkzVWtWR1Vsa3dVbEphTUVaR1ZqRkNSMk5FUW05TmJYUXpVV3BXYlZWWFZsUlRTRTVYVVRKNGFWUlZUa3BSYTNod1VrRnZOR0ZzUm5kU01FNHlaRzVOTUdOV1JtdFhSRmwzVjIxYU1sTXhSblpYV0ZKR1REQk9lbFpHWXpWTk1WSkxaVVJzZUVzeVZYcFVXRWwyVTNwS2IxUldRbmRTYlRsWFZVZFdURlpZVG01UVZEQkxURk13ZEV4VE1VWlVhMUZuVlVaV1ExUkZiRVJKUlhSR1YxTXdkRXhUTUhSRFp6MDlJbjE5ZlgwPSIsImludGVncmF0ZWRUaW1lIjoxNzQ3Mzc4NjEwLCJsb2dJbmRleCI6MjEzODY3OTMzLCJsb2dJRCI6ImMwZDIzZDZhZDQwNjk3M2Y5NTU5ZjNiYTJkMWNhMDFmODQxNDdkOGZmYzViODQ0NWMyMjRmOThiOTU5MTgwMWQifX0sIlJGQzMxNjFUaW1lc3RhbXAiOm51bGx9Cg==","Cert":null,"Chain":null,"Bundle":null,"RFC3161Timestamp":null}

Also we did debug on cosign verify using --verbose in both machine and found tahat some mismatches in manifest section
cosign verify --key cosign.pub localhost:5000/my-ubuntu-4:1.0 --verbose

machine 1
------------------------------
cosign verify --key cosign.pub localhost:5000/my-ubuntu-4:1.0 --verbose
2025/05/16 19:37:55 --> GET https://localhost:5000/v2/
2025/05/16 19:37:55 GET /v2/ HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:37:55 <-- tls: first record does not look like a TLS handshake GET https://localhost:5000/v2/ (845.867µs)
2025/05/16 19:37:55 --> GET http://localhost:5000/v2/
2025/05/16 19:37:55 GET /v2/ HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:37:55 <-- 200 http://localhost:5000/v2/ (1.060079ms)
2025/05/16 19:37:55 HTTP/1.1 200 OK
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Fri, 16 May 2025 14:07:55 GMT
Docker-Distribution-Api-Version: registry/2.0

{}
2025/05/16 19:37:55 --> GET http://localhost:5000/v2/my-ubuntu-4/manifests/1.0
2025/05/16 19:37:55 GET /v2/my-ubuntu-4/manifests/1.0 HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Accept-Encoding: gzip


2025/05/16 19:37:55 <-- 200 http://localhost:5000/v2/my-ubuntu-4/manifests/1.0 (900.582µs)
2025/05/16 19:37:55 HTTP/1.1 200 OK
Content-Length: 736
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Fri, 16 May 2025 14:07:55 GMT
Docker-Content-Digest: sha256:8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3"

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 2538,
      "digest": "sha256:329cd76b8a84032d96072c979eebc1dd5008e2d328617411e4f2515b69f56e39"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 30586847,
         "digest": "sha256:f03f49e66a78dccae749ea6739468021f4482226f4a87545a9dbcaf148553343"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 145,
         "digest": "sha256:5c69c54c5517e844304ba79964ecce244527f277bd4682d347fbd7dcaaa37ba6"
      }
   ]
}
2025/05/16 19:37:55 --> GET http://localhost:5000/v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig
2025/05/16 19:37:55 GET /v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Accept-Encoding: gzip


2025/05/16 19:37:55 <-- 200 http://localhost:5000/v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig (996.156µs)
2025/05/16 19:37:55 HTTP/1.1 200 OK
Content-Length: 1621
Content-Type: application/vnd.oci.image.manifest.v1+json
Date: Fri, 16 May 2025 14:07:55 GMT
Docker-Content-Digest: sha256:485dbcca35bf89ed66de163a685cb38309e79c05b1b99663561fead3e857ade9
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:485dbcca35bf89ed66de163a685cb38309e79c05b1b99663561fead3e857ade9"

{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:071e0c8bf6c3efb4431a0a5aea11997785705aedbae16693ce826a16483a8fa5"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":242,"digest":"sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc","annotations":{"dev.cosignproject.cosign/signature":"MEQCIGnMnU8FiEcNVIgeR6HxNp4Gaqg5q0XLSNhBO5pp+QaNAiB40iDMGGQdthm8U9qQeCAzp6ecLdKCG3R/yq5S2uMa6g==","dev.sigstore.cosign/bundle":"{\"SignedEntryTimestamp\":\"MEUCIQC7FTse+Y2NZwG10QskYY3/416hJaxZJ4h46td2Wk3zygIgUX1hS7TPRXJjKYGe/zbXm7sL8ZNdRUYgKTiFxymvx0c=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNGMwNTIxNzZjMDRkMjkzYTg1YmZkZThiYjQ0NzQzMWFkOWNhYzExMTliNDE3YzQ0NGQwMjQ3ZTY4NmI0YmRjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR25NblU4RmlFY05WSWdlUjZIeE5wNEdhcWc1cTBYTFNOaEJPNXBwK1FhTkFpQjQwaURNR0dRZHRobThVOXFRZUNBenA2ZWNMZEtDRzNSL3lxNVMydU1hNmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGVjFCR2NEQm9NbXQzUWpWbVVXVlRTSE5XUTJ4aVRVTkpRa3hwUkFvNGFsRndSME4yZG5NMGNWRmtXRFl3V21aMlMxRnZXWFJGTDBOelZGYzVNMVJLZURseEsyVXpUWEl2U3pKb1RWQndSbTlXVUdWTFZYTm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1747378610,\"logIndex\":213867933,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"}}]}
2025/05/16 19:37:55 --> GET http://localhost:5000/v2/my-ubuntu-4/blobs/sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc [body redacted: omitting binary blobs from logs]
2025/05/16 19:37:55 GET /v2/my-ubuntu-4/blobs/sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:37:55 <-- 200 http://localhost:5000/v2/my-ubuntu-4/blobs/sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc (1.777248ms) [body redacted: omitting binary blobs from logs]
2025/05/16 19:37:55 HTTP/1.1 200 OK
Content-Length: 242
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Type: application/octet-stream
Date: Fri, 16 May 2025 14:07:55 GMT
Docker-Content-Digest: sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:14c052176c04d293a85bfde8bb447431ad9cac1119b417c444d0247e686b4bdc"



Verification for localhost:5000/my-ubuntu-4:1.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"localhost:5000/my-ubuntu-4"},"image":{"docker-manifest-digest":"sha256:8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQC7FTse+Y2NZwG10QskYY3/416hJaxZJ4h46td2Wk3zygIgUX1hS7TPRXJjKYGe/zbXm7sL8ZNdRUYgKTiFxymvx0c=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNGMwNTIxNzZjMDRkMjkzYTg1YmZkZThiYjQ0NzQzMWFkOWNhYzExMTliNDE3YzQ0NGQwMjQ3ZTY4NmI0YmRjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR25NblU4RmlFY05WSWdlUjZIeE5wNEdhcWc1cTBYTFNOaEJPNXBwK1FhTkFpQjQwaURNR0dRZHRobThVOXFRZUNBenA2ZWNMZEtDRzNSL3lxNVMydU1hNmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGVjFCR2NEQm9NbXQzUWpWbVVXVlRTSE5XUTJ4aVRVTkpRa3hwUkFvNGFsRndSME4yZG5NMGNWRmtXRFl3V21aMlMxRnZXWFJGTDBOelZGYzVNMVJLZURseEsyVXpUWEl2U3pKb1RWQndSbTlXVUdWTFZYTm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1747378610,"logIndex":213867933,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]

machine 2
------------------------------
cosign verify --key cosign.pub localhost:5000/my-ubuntu-4:1.0 --verbose
2025/05/16 19:38:56 --> GET https://localhost:5000/v2/
2025/05/16 19:38:56 GET /v2/ HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:38:56 <-- tls: first record does not look like a TLS handshake GET https://localhost:5000/v2/ (933.896µs)
2025/05/16 19:38:56 --> GET http://localhost:5000/v2/
2025/05/16 19:38:56 GET /v2/ HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:38:56 <-- 200 http://localhost:5000/v2/ (1.307404ms)
2025/05/16 19:38:56 HTTP/1.1 200 OK
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Fri, 16 May 2025 14:08:56 GMT
Docker-Distribution-Api-Version: registry/2.0

{}
2025/05/16 19:38:56 --> GET http://localhost:5000/v2/my-ubuntu-4/manifests/1.0
2025/05/16 19:38:56 GET /v2/my-ubuntu-4/manifests/1.0 HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Accept-Encoding: gzip


2025/05/16 19:38:56 <-- 200 http://localhost:5000/v2/my-ubuntu-4/manifests/1.0 (1.063469ms)
2025/05/16 19:38:56 HTTP/1.1 200 OK
Content-Length: 736
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Fri, 16 May 2025 14:08:56 GMT
Docker-Content-Digest: sha256:8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3"

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 2538,
      "digest": "sha256:329cd76b8a84032d96072c979eebc1dd5008e2d328617411e4f2515b69f56e39"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 30586847,
         "digest": "sha256:f03f49e66a78dccae749ea6739468021f4482226f4a87545a9dbcaf148553343"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 145,
         "digest": "sha256:5c69c54c5517e844304ba79964ecce244527f277bd4682d347fbd7dcaaa37ba6"
      }
   ]
}
2025/05/16 19:38:56 --> GET http://localhost:5000/v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig
2025/05/16 19:38:56 GET /v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Accept-Encoding: gzip


2025/05/16 19:38:56 <-- 200 http://localhost:5000/v2/my-ubuntu-4/manifests/sha256-8da7c38f688d2d60fab54a3e56d68b4d96ca017f13b62add53df55a1c11e19b3.sig (1.010457ms)
2025/05/16 19:38:56 HTTP/1.1 200 OK
Content-Length: 561
Content-Type: application/vnd.oci.image.manifest.v1+json
Date: Fri, 16 May 2025 14:08:56 GMT
Docker-Content-Digest: sha256:02f2c1f1a280583bcec14484ddd7b3fda949d341e55099309343330bfcb10d7d
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:02f2c1f1a280583bcec14484ddd7b3fda949d341e55099309343330bfcb10d7d"

{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:ad84e2ec01a625cfd4ed93a701635523b0b937943959a4e8c21897ca3c514936"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":1528,"digest":"sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a","annotations":{"dev.cosignproject.cosign/signature":"MEQCIGnMnU8FiEcNVIgeR6HxNp4Gaqg5q0XLSNhBO5pp+QaNAiB40iDMGGQdthm8U9qQeCAzp6ecLdKCG3R/yq5S2uMa6g==\n"}}]}
2025/05/16 19:38:56 --> GET http://localhost:5000/v2/my-ubuntu-4/blobs/sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a [body redacted: omitting binary blobs from logs]
2025/05/16 19:38:56 GET /v2/my-ubuntu-4/blobs/sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a HTTP/1.1
Host: localhost:5000
User-Agent: cosign/v2.5.0 (linux; amd64) go-containerregistry/v0.20.3
Accept-Encoding: gzip


2025/05/16 19:38:56 <-- 200 http://localhost:5000/v2/my-ubuntu-4/blobs/sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a (2.732289ms) [body redacted: omitting binary blobs from logs]
2025/05/16 19:38:56 HTTP/1.1 200 OK
Content-Length: 1528
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Type: application/octet-stream
Date: Fri, 16 May 2025 14:08:56 GMT
Docker-Content-Digest: sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:a495886045d0a9a47abbb8cd538c5bac9bcf29db20941716e18c2c741aa00a8a"


Error: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest {"code":400,"message":"verifying signature: invalid signature when validating ASN.1 encoded signature"}
error during command execution: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest {"code":400,"message":"verifying signature: invalid signature when validating ASN.1 encoded signature"}

waiting for support how to find a solution in these scenario :

sarathkumarpgm added the bug Something isn't working label May 16, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cosign Verification Failure After Image Transfer #4207

Cosign Verification Failure After Image Transfer #4207

sarathkumarpgm commented May 16, 2025 •

edited

Loading

sarathkumarpgm commented May 16, 2025 •

edited

Loading

Uh oh!

Cosign Verification Failure After Image Transfer #4207

Cosign Verification Failure After Image Transfer #4207

Comments

sarathkumarpgm commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Expected behaviour

`Machine 1: Docker registry

Machine 2: Containerd registry

sarathkumarpgm commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sarathkumarpgm commented May 16, 2025 •

edited

Loading

sarathkumarpgm commented May 16, 2025 •

edited

Loading