Comments (1)
hi @lewisdiamond , thank you for checking this.
This message
data is not double gzipped, but it is "gzipped tar.gz binary".
To check raw message data, you can follow the following steps.
# get "message" data and save "message.tar.gz" file by doing base64 decode & gzip decode
$ cat sample-configmap.yaml.signed | yq4 eval '.metadata.annotations."cosign.sigstore.dev/message"' - | base64 -d | gzip -d > ./tmp/message.tar.gz
# decompress .tar.gz file
$ cd tmp
$ tar xzf message.tar.gz
$ ls -l
total 8
-rw-r--r-- 1 hiro staff 283 Nov 15 17:58 message.tar.gz
drwxr-xr-x 3 hiro staff 96 Nov 15 17:59 var
# the original manifest is here as file (the file path can be different depending on signing environment)
$ cat var/folders/6d/qyzngmnn7_905c0_cj01f2qw0000gn/T/compressing-tar-gz022313481/sample-configmap.yaml
apiVersion: v1
data:
key1: val1
key4: val4
kind: ConfigMap
metadata:
name: sample-cm
The reason of creating .tar.gz is to support signing a directory which contains multiple YAML manifests.
So basically it is working as expected.
from k8s-manifest-sigstore.
Related Issues (20)
- Mention Kyverno integration?
- `version` no longer printing version information
- Additional details on successful verification HOT 1
- Official support for signing and verifying via GitHub Actions HOT 2
- yaml signing failing : unsupported pem type: ENCRYPTED SIGSTORE PRIVATE KEY HOT 4
- bug: no certificate found on signature error for using public key to verify signature
- Request for updating dependencies to newer versions HOT 3
- Binaries for `arm64` HOT 2
- Extend verify-resource sub-command HOT 1
- Enable manifest build provenance HOT 1
- Add initial codes
- support pattern based multiple resource specification in verify-resource HOT 1
- Keyless signing does not provide input prompt in device mode HOT 2
- Go install doesn't work due to checksum mismatch HOT 1
- refactor to refine sign/verify logics
- Security Policy violation Branch Protection HOT 3
- fix to check all existing resources with `verify-resource`
- Can this be updated to use cosing 1.13 ? HOT 8
- Generate SLSA Provenance on Release HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k8s-manifest-sigstore.