CLOUDP-355439: Fix signing transparency log error (#2843)

* CLOUDP-355439: Fix signing transparency log error

* Fix transparencly log error

Signed-off-by: jose.vazquez <[email protected]>

---------

Signed-off-by: jose.vazquez <[email protected]>

Author: josvazg

.github/workflows/rebuild-released-images.yaml

@@ -222,7 +222,7 @@ jobs:
           GRS_PASSWORD:  ${{ secrets.GRS_PASSWORD }}
         run: |
           make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
-          make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
+          make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO="quay.io/${{ env.IMAGE_REPOSITORY }}"
           make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
 
       - name: Self-verify images (Non Devbox)
@@ -233,7 +233,7 @@ jobs:
           GRS_PASSWORD:  ${{ secrets.GRS_PASSWORD }}
         run: |
           make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
-          make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
+          make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO="quay.io/${{ env.IMAGE_REPOSITORY }}"
           make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
       
       - name: Sign images (Devbox)
@@ -244,7 +244,7 @@ jobs:
           GRS_PASSWORD:  ${{ secrets.GRS_PASSWORD }}
         run: |
           devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
-          devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
+          devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO="quay.io/${{ env.IMAGE_REPOSITORY }}"'
           devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'
           
       - name: Self-verify images (Devbox)
@@ -255,6 +255,6 @@ jobs:
           GRS_PASSWORD:  ${{ secrets.GRS_PASSWORD }}
         run: |
           devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
-          devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
+          devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO="quay.io/${{ env.IMAGE_REPOSITORY }}"'
           devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'
           

Makefile

@@ -523,16 +523,16 @@ endif
 .PHONY: sign
 sign: ## Sign an AKO multi-architecture image
 	@echo "Signing multi-architecture image $(IMG)..."
-	IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) ./scripts/sign-multiarch.sh
+	@IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) ./scripts/sign-multiarch.sh
 
 ./ako.pem:
 	curl $(AKO_SIGN_PUBKEY) > $@
 
 .PHONY: verify
 verify: ./ako.pem ## Verify an AKO multi-architecture image's signature
 	@echo "Verifying multi-architecture image signature $(IMG)..."
-	IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) \
-	./scripts/sign-multiarch.sh verify && echo "VERIFIED OK"
+	@IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) \
+	./scripts/sign-multiarch.sh verify
 
 .PHONY: helm-upd-crds
 helm-upd-crds:

scripts/sign-multiarch.sh

@@ -34,3 +34,9 @@ for platform_sha in ${IMG_PLATFORMS_SHAS}; do
   echo "${action} platform image ${img}@${platform_sha}..."
   IMG="${img}@${platform_sha}" "${SCRIPT_DIR}/${action}.sh"
 done
+
+msg="All signed"
+if [ "${action}" == "verify" ]; then
+  msg="All verified OK"
+fi
+echo "✅ ${msg}"

scripts/sign.sh

@@ -45,4 +45,6 @@ docker run \
   -v "$(pwd):$(pwd)" \
   -w "$(pwd)" \
   artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \
-  cosign sign --key "${PKCS11_URI}" --tlog-upload=false "${img}"
+  cosign sign --key "${PKCS11_URI}" \
+  --tlog-upload=false --use-signing-config=false --new-bundle-format=false "${img}" && \
+  echo "✍️  Signed"

scripts/verify.sh

@@ -25,4 +25,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 KEY_FILE=${KEY_FILE:-ako.pem}
 
 COSIGN_REPOSITORY="${SIGNATURE_REPO}" "${SCRIPT_DIR}"/retry.sh cosign verify \
-  --insecure-ignore-tlog --key="${KEY_FILE}" "${img_to_verify}"
+  --insecure-ignore-tlog --key="${KEY_FILE}" "${img_to_verify}" && echo "✅ Signature OK"