cosign: Cosign 2.2.1 Docker image missing /bin/sh
Description
Cosign 2.2.1 does not include the sh executable, and fails to run through a GitLab CI pipeline.
Extract of .gitlab-ci.yml :
sign-image:
stage: push
variables:
SSL_CERT_FILE: ${VAULT_CACERT}
image:
name: gcr.io/projectsigstore/cosign:v2.2.1
entrypoint: [""]
script:
- cosign login ${REGISTRY_URL} --username ${REGISTRY_USERNAME} --password ${REGISTRY_PASSWORD}
- echo $COSIGN_PRIVATE_KEY | base64 -d > /tmp/cosign_private_key
- cosign sign --key /tmp/cosign_private_key "${REGISTRY_URL}/${REGISTRY_PROJECT}/${IMAGE}:${VERSION}" --yes
- rm /tmp/cosign_private_key -f
Result :
Using docker image sha256:aadc646735691b2cec958e1930c2b815f66f6b4aec58d4dc88e1211dd463083b for gcr.io/projectsigstore/cosign:v2.2.1 with digest gcr.io/projectsigstore/cosign@sha256:88498ed17e61605cd68a5fc9d1fcd756ae0ef2d5515417881d739654accf818f ...
Cleaning up project directory and file based variables 00:02
ERROR: Job failed (system failure): Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown (exec.go:78:2s)
Downgrading to Cosign 2.2.0 fixes the issue.
By the way, Cosign 2.2.1 Docker image is much smaller than 2.2.0 (107 Mb instead of 124 Mb).
Version
Cosign 2.2.1 Docker image (gcr.io/projectsigstore/cosign:v2.2.1).
About this issue
- Original URL
- State: closed
- Created 8 months ago
- Reactions: 3
- Comments: 16 (11 by maintainers)
Thanks for the 2.2.2 release,
gcr.io/projectsigstore/cosign:v2.2.2-devworks fine in my GitLab CI pipeline.@Fredouye I’ll take a look at creating a
devordebugimage. I’m not familiar with GitLab CI, but from the example you’ve given, it seems like a shell is necessary. Maybe there’s a way to do a multi-step process where the key and registry credentials are obtained and passed to Cosign invocation step?