cosign: bug: x509 verification broken

Description

The documented x509 certificate verification isn’t working as expected. This is broken in two different ways at HEAD (29360f6a3390d44dd8faef636dd0c3449a213c88) and v2.0.0-rc0

HEAD

$cosign verify --certificate-chain bundle.pem --certificate cert.pem  $(cat image)
Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
main.go:63: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

v2.0.0-rc0

$ cosign verify --certificate-chain bundle.pem --certificate cert.pem  $(cat image) --insecure-ignore-sct                                     
Error: no matching signatures:                                                                                                                                               
error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----                                                                                       
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgC9YnGfLG1oNUg7qbVoI9RaCYNmU                                                                                                             
SC8QYw9JCIEdkn+ySEfwRPMVwd8ljiSljFSvw9TWuqxj5WvOMU43wmO9jQ==                                                                                                                 
-----END PUBLIC KEY-----                                                                                                                                                     
, got -----BEGIN CERTIFICATE-----                                                                                                                                            
MIICEzCCAbqgAwIBAgIRAKHhIO8ezAumM0UvolewscEwCgYIKoZIzj0EAwIwJDEi                                                                                                             
MCAGA1UEAxMZTm90RnVsY2lvIEludGVybWVkaWF0ZSBDQTAeFw0yMzAxMTUyMjUz                                                                                                             
NThaFw0yMzAxMTUyMjU5NThaMAwxCjAIBgNVBAMTATEwWTATBgcqhkjOPQIBBggq                                                                                                             
hkjOPQMBBwNCAAQDOAZjN5VZ7wARVO7hoYvf4Ra/UROo/Img1bPIOk5jF1ha+sEp                                                                                                             
duoZ3pKuw7Xv3QCqWWPNNYKr4X5OJoYAbubBo4HkMIHhMA4GA1UdDwEB/wQEAwIH                                                                                                             
gDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUXVBLLUtgD8UljJXEkzXp                                                                                                             
yH8aTywwHwYDVR0jBBgwFoAU5h1Is9hr/ITmJe3qM3aThHsfETAwNgYDVR0RBC8w                                                                                                             
LYEPY29kZUBuZnNtaXRoLmNhhhpodHRwczovL2NvZGUubmZzbWl0aC5jYS8jMTBC
BgwrBgEEAYKkZMYoQAEEMjAwAgECBAVnaXRlYQQkZjQ5YzkwNmYtZGZiZC00NjI2
LWExMWEtMmQyODhlMjYzZmM2MAoGCCqGSM49BAMCA0cAMEQCICPQcmZ4/f+rnERW
a+nTuWcgVSne2X2IzSzAOrJggLh4AiBDKMzfsaDkxY8JAned38JScsA3I0C0tMGk
qivv/JB29w==
-----END CERTIFICATE-----

Version

  • v2.0.0-rc0
  • HEAD (29360f6a3390d44dd8faef636dd0c3449a213c88)

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 3
  • Comments: 31 (29 by maintainers)

Most upvoted comments

You can drop certificate-chain and certificate during cosign verify, since they’re already attached to the container and cosign will get them from the container manifest.

I am also making the assumption that Rekor creates timestamp signatures at sign time and serves them at verify time, encompassing the role of a timestamp server. Is that correct?

Rekor acts as a witness to a signing event and will provides a timestamp on upload. If a signer wants to distribute trust to a third-party timestamp authority, it can do so by fetching a timestamp that is signed over the artifact/container signature. The timestamp that comes from either Rekor or the timestamp authority is used during verification.

+1
haydentherapper on Jul 13, 2023

Could you clarify this? Do you mean have policy flags for non-fulcio-like certificates? If so, I don’t think this is something we should implement. We will have an endlessly growing list of policy flags if so.

Yeah so the idea here was just to have one more flag like --policy foo.rego so that folks could just pass in a rego policy. Like you said, one off flags would just grow and grow. I feel like should just support arbitrary rego or cue or what ever and then folks can add what ever verification logic they want. This matches the policy-controller support for rego and cue when things just get too complicated and users need an escape hatch for their situation

+1
nsmith5 on Jan 23, 2023

@nsmith5, do you want to check out https://github.com/sigstore/cosign/pull/2633 locally and check to see if that mitigates the second issue?

+1
haydentherapper on Jan 16, 2023
Read more comments on GitHub
← lighthouse: Unable to start the lighthouse after the update
cosign: Cosign 2.2.1 Docker image missing /bin/sh →