Friction Log: Signing a Blob

[smythp]

Signing a Blob Friction Log

Log Info

GitHubb Username: smythp
Date : <2023-06-07 Wed>
Use case / goal: Sign a blob
OS environment: Linux Mint 20.2
Product(s): Cosig
Programming languages: bash

Background

My name is Patrick Smyth, and I'll be working with SigStore over the coming months as part of the Google Summer of Docs program. 👋

I'm starting contribution with a few friction logs. Thanks to Kara Olive for providing a useful template. I'll be opening issues related to this long over the next day or so.

Full Task Log

Started task, sign a blob, at <2023-06-07 Wed 12:19>

Google results for "sign a blob sigstore":

• https://docs.sigstore.dev/cosign/signing_with_blobs/
• https://docs.sigstore.dev
• https://docs.sigstore.dev/rekor/sign-upload/
• https://docs.sigstore.dev/cosign/overview/

Kagi results (what I actually use):

• https://docs.sigstore.dev/cosign/signing_with_blobs/
• https://docs.sigstore.dev/cosign/overview/
• https://docs.sigstore.dev/

I read the first 5 paragraphs of signing blobs page, realize i need more context, then read Cosign overview page.

I establish I need to install Cosign.

Follow link to Cosign installation instructions.

See that a number of distros have Cosign packages, but my distro (Ubuntu/Mint) not cool enough. Try control-f on page for "Ubuntu" and "Mint".

FRICTION: No distro names for Debian/Ubuntu/Mint

Think about whether to grab a binary or go the Go route. Decide to look at the binaries, if something goes wrong I'll fall back to Go, as it seems first class here (listed first) and am somewhat familiar with Go.

Go to binary page. Feel like maybe the link to the binary page shouldn't be a bare link, but should have anchor text of some kind?

FRICTION: Bare link to binary page

Some duplication between docs and GitHub release pages. Looking for binary.

FRICTION: Expected to see binaries only based on language on Cosign installation page, transition to release page slightly disorienting for this reason.

See long, long list of links, including signatures. Control-f for ubuntu, mint, dpkg, no luck.

FRICTION: Possible to organize release page, possibly group binaries with sigs?

Read past rpms, there's a listing called "cosign-linux-amd64," mysterious but perhaps?

FRICTION: Debian/Ubuntu/Mint (or whatever) binary somewhat mysteriously labeled

Open command line (zsh, cleaned up some below outputs but mostly verbatim). Command line session as follows:

$ ~ cd Downloads
$ Downloads ./cosign-linux-amd64 --version
zsh: permission denied: ./cosign-linux-amd64
$ Downloads chmod a+x cosign-linux-amd64
$ Downloads ./cosign-linux-amd64 --version
Error: unknown flag: --version
main.go:74: error during command execution: unknown flag: --version
$ Downloads ./cosign-linux-amd64
A tool for Container Signing, Verification and Storage in an OCI registry.

Usage:
  cosign [command]

Available Commands:
  attach                  Provides utilities for attaching artifacts to other artifacts in a registry
[...]
$ Downloads ./cosign-linux-amd64 --version |grep -i "version"
Error: unknown flag: --version
main.go:74: error during command execution: unknown flag: --version
$ Downloads ./cosign-linux-amd64 |grep -i "version"
  version                 Prints the version
$ Downloads ./cosign-linux-amd64 version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.0.2
GitCommit:     871448050b924a7946ebe47678f23aae09ef432d
GitTreeState:  clean
BuildDate:     2023-04-24T17:31:42Z
GoVersion:     go1.20.3
Compiler:      gc
Platform:      linux/amd6

I try running the binary, need to change permissions. Use chmod to change permissions to executable. Try getting version with ./ --version, get command not found. Use grep on output to find info on getting version, looks like it needs to be ./ version (as a subcommand, not as a flag). Feel like maybe --version should also be supported, as it's pretty typical for CLI utilities?

FRICTION: --version flag not supported in Debian/Ubuntu/Mint binary, probably all binaries.

Run ./ version and get the version output, with cool ASCII art, nice.

Close two installation tabs, back at Cosign overview page.

I'll put the binary on the path for now. I have a scripts folder on the path, I'll put it in there rather than /usr/bin or whatever since I don't want to forget about it.

$ Downloads mv ~/Downloads/cosign-linux-amd64 ~/scripts /cosign
$ Downloads exec $SHELL
$ Downloads cosign version
<cool ASCII art, etc.>

OK, let's do it! Decide to sign a picture of my sister's wedding, because it may be mission critical to verify its integrity in the future.

Copy command to scratch in my text editor:

$ cosign sign-blob <file> --bundle cosign.bundle

Replace with:

$ cosign sign-blob wedding.jpg --bundle cosign.bundle

Pretty straightforward. Only part of this I'm not sure about right now is that last part. the --bundle cosign.bundle flag, but ignoring that for now.

Running command, get this output:

Using payload from: wedding.jpg
Generating ephemeral keys...
Retrieving signed certificate...

The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at <https://lfprojects.org/policies/hosted-project-tools-terms-of-use/>.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at <https://lfprojects.org/policies/hosted-project-tools-immutable-records/>.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N]

I hit y:

Are you sure you would like to continue? [y/N] y
Your browser will now be opened to:
<url redacted>

I like the explicitness of the message in the terminal about what's happening.

In the browser:

Apparently Linux is copyright Linus Torvalds. Thanks, Linus.

Choose to use GitHub, would prefer some generic email options due to standard-issue coder paranoia, but fine for now and will look into that later.

My browser gets stuck in the redirect page, clicking the link manually...

FRICTION: On my browser, redirect wasn't automatic. However, manual redirect worked.

I get bad request. Guessing it's a timeout since I stopped to take notes. Feel like that short of a timeout might be an accessibility issue?

FRICTION: Timeout for signing very short. This might be a situation in which security and accessibility trade off, but might want to consider providing slightly more time for accessibility.

Retrying, moving fast this time...

Get success message in browser, close tab.

See certs in terminal, plus:

Wrote bundle to file cosign.bundle
<hash or whatever redacted>

Excellent, I've signed a blob.

---

Successfully completed task at <2023-06-07 Wed 13:06>.

Task completed in 47 minutes, including notetaking. Treat as ~25-30 minutes.

---

Summary of Friction

It took me 47 minutes while taking notes, or ~25-30 minutes on task, to sign a blob. While I have specific instances of friction below, I'd count this as an overall success, with only some specific elements that I will flag for issues.

I oriented pretty quickly on the installation instructions from a relatively cold Google search. (I did know what task I wanted, signing a blob, so not totally cold.) It's possible that some more fundamental language around why you'd want to sign might be useful, but hard to say as I already know what the tool does by now.

The most friction was encountered while trying to find the appropriate binary. I wasn't confident that I would find it, or even that I had found the correct one after downloading.

Once I had the binary on my path, signing was fairly pleasant. Not supporting the --version flag initially made me think something might be wrong, especially in connection with the uncertainty around the binary.

I didn't verify the download, and probably should have. If I'd been more confident about whether I'd found the right binary I would have been somewhat more likely to verify, and if this had been a production scenario I would have verified the download, probably extending task time.

The timeout on the web auth page is quite short. Could be an accessibility issue. Web auth and browser interactions were mostly pretty smooth, however, and I liked how few steps there were once I opened the browser. (May have literally been two clicks.)

Overall positive with some specific issues listed below.

Friction List

• FRICTION: No distro names for Debian/Ubuntu/Mint in Cosign installation instructions
• FRICTION: Bare link to binary page in Cosign installation instructions
• FRICTION: Expected to see binaries only based on language on Cosign installation page, transition to release page slightly disorienting for this reason.
• FRICTION: Possible to organize release page, possibly group binaries with sigs?
• FRICTION: Debian/Ubuntu/Mint (or whatever) binary somewhat mysteriously labeled (Just says linux" andCPU architecture.)
• FRICTION: --version flag not supported in Debian/Ubuntu/Mint binary, probably all binaries.
• FRICTION: On my browser, redirect wasn't automatic. However, manual redirect worked. (Pretty minor.)
• FRICTION: Timeout for signing very short. This might be a situation in which security and accessibility trade off, but might want to consider providing slightly more time for accessibility.

As I open issues based on the above encounters, I'll reference this friction log.

Issues Opened

• Anchor text for bare link on installation page #185
• Referencing Debian/Ubuntu directly for dkpg option on install page #186
• Add --version flag cosign#3092
• Fast timeout of authentication page an accessibility issue? cosign#3093