Error verifying attestation: validating_transport.go: could not decode armor signature: EOF

76 views
Skip to first unread message

dgpt...@gmail.com

unread,
Nov 23, 2019, 8:02:00 AM11/23/19
to Kritis users
Hi,

I'm trying out the Kritis with Standalone Grafeas in a local minikube cluster (OSX 10.12.6)

Due to the pending crypto.Signer issue in create_attestation.go, I have to write my own script to sign the test image and create an attestation via Grafeas' API

GPG Keys (these were created using the script from the guide)
$ gpg --list-keys

/Users/me/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2019-11-20 [SC] [expires: 2021-11-19]
      9071953D16E2679674B6D41939D5790A884DCD5B
uid           [ultimate] attestor@example.com
sub   rsa2048 2019-11-20 [E]

$ gpg --version
gpg (GnuPG) 2.2.17
libgcrypt 1.8.5



Image sign:
cat >java-with-vulnz.txt <<EOF
sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a
EOF
### ### ###
# Sign the file..
### ### ###
gpg -u attestor@example.com \
  --armor \
  --sign \
  --output=java-with-vulnz-signature.gpg \
  java-with-vulnz.txt
### ### ###
# Verify the signature..
### ### ###
gpg --output - --verify java-with-vulnz-signature.gpg



Attestation creation:

# Define GPG_SIGNATURE & RESOURCE_URL environment variables..
export GPG_SIGNATURE=$(cat java-with-vulnz-signature.gpg | base64)
export RESOURCE_URL="https://gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a"

# Define the pgpSignedAttestation Occurrance content..
cat > prod-occurrence.json <<EOF
{
  "name": "projects/kritis/occurences/java-image-att",
  "noteName": "projects/kritis/notes/att",
  "resource": {
    "uri": "${RESOURCE_URL}"
  },
  "kind": "ATTESTATION",
  "attestation": {
    "attestation": {
      "pgpSignedAttestation": {
        "signature": "${GPG_SIGNATURE}",
        "pgpKeyId": "${GPG_KEY_ID}"
      }
    }
  }
}
EOF
### ### ###
# Post the pgpSignedAttestation content..
### ### ###
curl -k -v -E grafeas.pem -X POST \
  'https://grafeas-server:8080/v1beta1/projects/kritis/occurrences' \
  -d @prod-occurrence.json



Attestation entry in Grafeas:
curl -k -E grafeas.pem https://grafeas-server:8080/v1beta1/projects/kritis/occurrences | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1513  100  1513    0     0   9189      0 --:--:-- --:--:-- --:--:--  9225
{
  "occurrences": [
    {
      "name": "projects/kritis/occurrences/79f0f8f4-c4f2-439f-8551-7c89951078d2",
      "resource": {
        "name": "",
        "uri": "https://gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a",
        "contentHash": null
      },
      "noteName": "projects/kritis/notes/att",
      "kind": "ATTESTATION",
      "remediation": "",
      "createTime": "2019-11-23T11:30:24.291037207Z",
      "updateTime": "2019-11-23T11:30:24.291037207Z",
      "attestation": {
        "attestation": {
          "pgpSignedAttestation": {
            "signature": "LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0did012TXdNRm9lYldTcThQM2JEVGptc1FrNGF6RXNrVGQ4c3lTRE4yeTBweThLcjJTaXBMWTZ4bUJ4Um1KClJxWm1Wc2FtRm1ZVzVzbHBLY2FweVJhcGhpbHBxVWxHU1dtbWhrbW1ob1lHcVNhcGhtWnBaaWxwNW9acFppWnAKU1lrR2hwWVdabW5tUmdaSlJtbkpTWWxtRm9sY25ZeHVMQXlNSEF3R1lvb3NFd3FuMm9vOVNwOVdzdTJLSk13TgpyRXdnMjRSa1VsTEw4Z3VLSFJLTEsvU1M4M1AxRWtzWnVEZ0ZZSW9XS25Jd3RMdlAvcURoSlhqQ3FibGd6eE1iCnpRV21PakdDQ3NzU2tqaXQ0amZOL2pxdFplbEpiZ2YrYTdOZGF6dkUxVW84OXdsa2NaLytmMndHMjRNWWpWLysKdkRGc0hTSHJuZ3JWRklmbUgrWlBEVnZYdmVGbHVjN0xvOXZpYXJveVQ4K2U4OUUxaU1FeXhOVThUT256dkpQdgp0N0VzOXo1OWtlK2k3blRmUCs5Zk42ak1yT0U2Y0RDRXhlVDNrOGpLb2lPVEZDUmZyOTJ6Mk16WW8xTnB6c3ZECk1aYTNGKzhMWWd3MnZCcTRjT29zamc4cVRuZGM5SmQ0YVl0VU4zU2VhN1h6NzI2ZHZOTFpRdFowMnF2Z1cwWDMKdC9QcnJaNWczamdqWUtsVnNhamEvMENXQ0lXVmJEVi84bDZldk5pK3FFRHI3UytyYVpNV2JNeWMwdW04MGFUcgpXWC9odzFNZnAveDdFalJmMFhrK0FBPT0KPW9OYmsKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=",
            "contentType": "CONTENT_TYPE_UNSPECIFIED",
            "pgpKeyId": "9071953D16E2679674B6D41939D5790A884DCD5B"
          }
        }
      }
    }
  ],
  "nextPageToken": ""
}


However, when I try to deploy a pod using the test image
kubectl apply -f pod.yaml
Error from server: error when creating "pod.yaml": admission webhook "kritis-validation-hook.grafeas.io" denied the request: image gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a is not attested


And this is the logs from Kritis validation webhook:
kritis-validation-hook-59f886f6bb-v4vwx kritis-server I1123 11:30:41.619964       1 admission.go:266] Found 1 Generic Attestation Policies
kritis-validation-hook-59f886f6bb-v4vwx kritis-server I1123 11:30:41.620322       1 review.go:70] Check if gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a has valid Attestations.
kritis-validation-hook-59f886f6bb-v4vwx kritis-server I1123 11:30:41.620349       1 review.go:73] Validating against GenericAttestationPolicy my-gap
kritis-validation-hook-59f886f6bb-v4vwx kritis-server E1123 11:30:41.672462       1 validating_transport.go:62] Could not find or verify attestation for attestor 9071953D16E2679674B6D41939D5790A884DCD5B: could not decode armor signature: EOF
kritis-validation-hook-59f886f6bb-v4vwx kritis-server I1123 11:30:41.672534       1 strategy.go:49] Handling attestation via LoggingStrategy
kritis-validation-hook-59f886f6bb-v4vwx kritis-server I1123 11:30:41.672544       1 strategy.go:53] No valid attestations found for image gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a. Proceeding with next checks

The AttestationAuthority crd and `attestor` secret were also created using the `no_attestation.sh` script from the guide.

Nenad Dedić

unread,
Dec 18, 2019, 11:02:16 AM12/18/19
to dgpt...@gmail.com, Kritis users
Hi,

I just filed https://github.com/grafeas/kritis/issues/427 to track this, and am working on a fix.  To summarize, I think the issue is that Kritis does not expect the signature to be base64 encoded.  This is IMO buggy behavior, and we should change it to work with base64 encoded signatures.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Kritis users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kritis-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kritis-users/a78f647c-7322-4274-a9b2-c5804f4eff6b%40googlegroups.com.

Aysylu Greenberg

unread,
Dec 19, 2019, 5:11:40 PM12/19/19
to Kritis users
Thank you both! Happy to review the PR, Nenad.
To unsubscribe from this group and stop receiving emails from it, send an email to kritis-users+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages