Container image verification failed

[JanetZhouJ]

What is not working as expected?

When verifying the signed container image with notation I am getting the error

What did you expect to happen?

I just test notation for a new build image and it work error and the reason describe is mismatch Content-Length, but I check nginx for harbor, it has not error and the request code is 200, so what means about mismatch Content-Length

How can we reproduce it?

First notation cert generate-test --default "registry-ops.cokutau.com"
notation sign --signature-format cose registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 --- it works goods

notation ls registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011
registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030
└── application/vnd.cncf.notary.signature
└── sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a

notation verify registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 -v -- it work errors
INFO Allowed to access the referrers API, fallback if not supported
INFO Reference 20240906_152011 resolved to manifest descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030 Size:1786 URLs:[] Annotations:map[] Data:[] Platform: ArtifactType:}
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:20240906_152011) because resolved digest may not point to the same signed artifact, as tags are mutable.
INFO Checking whether signature verification should be skipped or not
INFO Trust policy configuration: &{Name:registry-ops.cokutau.com RegistryScopes:[] SignatureVerification:{VerificationLevel:strict Override:map[] VerifyTimestamp:} TrustStores:[ca:registry-ops.cokutau.com] TrustedIdentities:[]}
INFO Check over. Trust policy is not configured to skip signature verification
INFO Processing signature with manifest mediaType: application/vnd.oci.image.manifest.v1+json and digest: sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a
Error: signature verification failed: unable to retrieve digital signature with digest "sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a" associated with "registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030" from the Repository, error : GET "https://registry-ops.cokutau.com/v2/dev-pjcxa/botstudio/manifests/sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a": mismatch Content-Length

Describe your environment

root@1b81bd31a2ce:/tmp# uname -a
Linux 1b81bd31a2ce 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 30 18:22:29 EDT 2024 x86_64 GNU/Linux
I use wget notation_$NOTATION_VERSION_linux_amd64.tar.gz and tar > /usr/local/bin/notation to use

What is the version of your Notation CLI or Notation Library?

Version: 1.2.0
Go version: go1.23.0
Git commit: 4700ad6

[FeynmanZhou]

Hi @JanetZhouJ ,

To troubleshoot the verification issue, can you please share the manifest metadata of your signed image? Maybe you can use ORAS tool to get the manifest metadata:

oras manifest fetch registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011