Merge pull request #934 from docker/sigstore-verify-retry

sigstore: make retry on manifest unknown optional
2026-01-13 17:33:53 +01:00 · 2026-01-13 16:21:46 +01:00
2 changed files with 23 additions and 4 deletions
--- a/src/sigstore/sigstore.ts
+++ b/src/sigstore/sigstore.ts
@@ -135,7 +135,7 @@ export class Sigstore {
        const verifyResult = await this.verifyImageAttestation(attestationRef, {
          noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
          certificateIdentityRegexp: opts.certificateIdentityRegexp,
-          retries: opts.retries
+          retryOnManifestUnknown: opts.retryOnManifestUnknown
        });
        core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
        result[attestationRef] = verifyResult;
@@ -164,8 +164,6 @@ export class Sigstore {
  }

  public async verifyImageAttestation(attestationRef: string, opts: VerifySignedManifestsOpts): Promise<VerifySignedManifestsResult> {
-    const retries = opts.retries ?? 15;
-
    if (!(await this.cosign.isAvailable())) {
      throw new Error('Cosign is required to verify signed manifests');
    }
@@ -183,6 +181,27 @@ export class Sigstore {
      cosignArgs.push('--use-signed-timestamps', '--insecure-ignore-tlog');
    }

+    if (!opts.retryOnManifestUnknown) {
+      core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
+      const execRes = await Exec.getExecOutput('cosign', ['--verbose', ...cosignArgs, attestationRef], {
+        ignoreReturnCode: true,
+        silent: true,
+        env: Object.assign({}, process.env, {
+          COSIGN_EXPERIMENTAL: '1'
+        }) as {[key: string]: string}
+      });
+      if (execRes.exitCode !== 0) {
+        // prettier-ignore
+        throw new Error(`Cosign verify command failed with: ${execRes.stderr.trim().split(/\r?\n/).filter(line => line.length > 0).pop() ?? 'unknown error'}`);
+      }
+      const verifyResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+      return {
+        cosignArgs: cosignArgs,
+        signatureManifestDigest: verifyResult.signatureManifestDigest!
+      };
+    }
+
+    const retries = 15;
    let lastError: Error | undefined;
    core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
    for (let attempt = 0; attempt < retries; attempt++) {
--- a/src/types/sigstore/sigstore.ts
+++ b/src/types/sigstore/sigstore.ts
@@ -48,7 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle {
 export interface VerifySignedManifestsOpts {
  certificateIdentityRegexp: string;
  noTransparencyLog?: boolean;
-  retries?: number;
+  retryOnManifestUnknown?: boolean;
 }

 export interface VerifySignedManifestsResult {
Author	SHA1	Message	Date
CrazyMax	6e1b0e6179	Merge pull request #934 from docker/sigstore-verify-retry Some checks failed publish / publish (push) Has been cancelled Details sigstore: make retry on manifest unknown optional	2026-01-13 17:33:53 +01:00
CrazyMax	b4f34ed319	sigstore: make retry on manifest unknown optional Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-01-13 16:21:46 +01:00