'cosign sign' fails with JFrog Artifactory docker registry due to 403 response on non-existing tag #2973
Labels
enhancement
New feature or request
Comments
dmitris
added a commit
to dmitris/cosign
that referenced
this issue
May 11, 2023
Some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use `cosign sign`. This change treats 403 the same way as 404 to overcome this. It is similar and related to google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks". Fixes sigstore#2973. Signed-off-by: Dmitry S <dsavints@gmail.com>
dmitris
added a commit
to dmitris/cosign
that referenced
this issue
May 11, 2023
Some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use `cosign sign`. This change treats 403 the same way as 404 to overcome this. It is similar and related to google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks". Closes sigstore#2973. Signed-off-by: Dmitry S <dsavints@gmail.com>
dmitris
added a commit
to dmitris/cosign
that referenced
this issue
May 11, 2023
Some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use `cosign sign`. This change treats 403 the same way as 404 to overcome this. It is similar and related to google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks". Closes sigstore#2973. Signed-off-by: Dmitry S <dsavints@gmail.com>
dmitris
added a commit
to dmitris/cosign
that referenced
this issue
May 12, 2023
Some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use `cosign sign`. This change treats 403 the same way as 404 to overcome this. It is similar and related to google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks". Closes sigstore#2973. Signed-off-by: Dmitry S <dsavints@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
We observe the
cosign signstarted to fail with the Artifactory Registry from commit 17cc138 / #2929. Thecosignclients sends a GET request with a tag derived from the digest but with:changed to-and.sigappend, such as:GET https://docker.xyz.com:4443/v2/dmitris777/scratch-3047c035/manifests/sha256-766b3e7864fcccb18ca4bd0d3a396c8ee16da4fe5b321ccbae79bec32c95139f.sigIt does so to check if there is a signature image already or not, expecting the "regular" 404 (Not Found) if there is no such tag. Unfortunately, some Docker Registries such as JFrog Artifactory apparently return 403 (Forbidden) instead of 404 for the
/v2/<image>/manifests/<reference>when<reference>is a non-existing tag:It may be related to https://jfrog.atlassian.net/browse/RTFACT-13797 "Artifactory return 403 instead of 404 for non-existing artifacts in virtual repositories."
The proposed workaround is to treat the 403 response the same way as 404 when checking for existence of the signature image and not do a hard/fatal error in this case. This is similar to a recent change in https://github.com/google/go-containerregistry/pull/1691/files. When testing with modification in #2972, I was able to do
cosign sign(and the subsequentcosign verify)./cc @jonjohnsonjr
The text was updated successfully, but these errors were encountered: