From 8f8888765f7ddcda9b94dba0e04ecf925c7623d4 Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 19 Aug 2025 09:07:39 -0700 Subject: [PATCH 1/4] dhi: add skip-tlog info Signed-off-by: Craig --- content/manuals/dhi/how-to/verify.md | 32 ++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/content/manuals/dhi/how-to/verify.md b/content/manuals/dhi/how-to/verify.md index f5c79273ca73..a22156d57816 100644 --- a/content/manuals/dhi/how-to/verify.md +++ b/content/manuals/dhi/how-to/verify.md @@ -119,6 +119,38 @@ $ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \ --predicate-type https://scout.docker.com/sbom/v0.1 --verify ``` +#### Handle missing transparency log entries + +When using `--verify`, you may sometimes see an error like: + +```text +ERROR no matching signatures: signature not found in transparency log +``` + +This occurs because Docker Hardened Images don't always record attestations in +the public [Rekor](https://docs.sigstore.dev/logging/overview/) transparency +log. In cases where an attestation would contain private user information (for +example, your organization's namespace in the image reference), writing it to +Rekor would expose that information publicly. + +Even if the Rekor entry is missing, the attestation is still signed with +Docker's public key and can be verified offline by skipping the Rekor +transparency log check. + +To skip the transparency log check and validate against Docker's key, use the +`--skip-tlog` flag: + +```console +$ docker scout attest get \ + --predicate-type https://cyclonedx.org/bom/v1.6 \ + /dhi-: --platform \ + --verify --skip-tlog +``` + +This is equivalent to using `cosign` with the `--insecure-ignore-tlog=true` +flag, which validates the signature against Docker's published public key, but +ignores the transparency log check. + ### Show the equivalent cosign command When using the `--verify` flag, it also prints the corresponding From 53049d0115b0b3a1b6d751b71e5d662716002ebe Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 19 Aug 2025 09:25:35 -0700 Subject: [PATCH 2/4] vale: add Rekor to vocab Signed-off-by: Craig --- _vale/config/vocabularies/Docker/accept.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/_vale/config/vocabularies/Docker/accept.txt b/_vale/config/vocabularies/Docker/accept.txt index 9fb5c354da85..91e1e5dee7d4 100644 --- a/_vale/config/vocabularies/Docker/accept.txt +++ b/_vale/config/vocabularies/Docker/accept.txt @@ -152,6 +152,7 @@ Qualcomm Quickview rebalance reimplement +Rekor rollback rootful runc From fd3162231b2b0f17769f66c62bb788f5cc9791af Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 26 Aug 2025 12:05:00 -0700 Subject: [PATCH 3/4] add version note Signed-off-by: Craig --- content/manuals/dhi/how-to/verify.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/manuals/dhi/how-to/verify.md b/content/manuals/dhi/how-to/verify.md index a22156d57816..b4c20ee052fe 100644 --- a/content/manuals/dhi/how-to/verify.md +++ b/content/manuals/dhi/how-to/verify.md @@ -147,6 +147,11 @@ $ docker scout attest get \ --verify --skip-tlog ``` +> [!NOTE] +> +> The `--skip-tlog` flag is only available in Docker Scout CLI version 1.18.3 and +> later. + This is equivalent to using `cosign` with the `--insecure-ignore-tlog=true` flag, which validates the signature against Docker's published public key, but ignores the transparency log check. From 7179d635a74a2e5b1e9f2f326b1fd5055f2f58a3 Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 26 Aug 2025 12:14:35 -0700 Subject: [PATCH 4/4] fix version Signed-off-by: Craig --- content/manuals/dhi/how-to/verify.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/dhi/how-to/verify.md b/content/manuals/dhi/how-to/verify.md index b4c20ee052fe..55b9a2906cf1 100644 --- a/content/manuals/dhi/how-to/verify.md +++ b/content/manuals/dhi/how-to/verify.md @@ -149,7 +149,7 @@ $ docker scout attest get \ > [!NOTE] > -> The `--skip-tlog` flag is only available in Docker Scout CLI version 1.18.3 and +> The `--skip-tlog` flag is only available in Docker Scout CLI version 1.18.2 and > later. This is equivalent to using `cosign` with the `--insecure-ignore-tlog=true`