cosign: Local Cert verify not working for Azure KMS
Description
Using cosign with Azure KMS results in different behavior for validation with KMS and local pub cert.
cosign verify -key azurekms://keyvault-xyz.vault.azure.net/cosign registryXYZ.azurecr.io/example-func:1.0.0
using embedded fulcio certificate. did you run `cosign init`? error retrieving target: missing target metadata: tuf: no root keys found in local meta store
Verification for registryXYZ.azurecr.io/example-func:1.0.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"registryXYZ.azurecr.io/example-func"},"image":{"docker-manifest-digest":"sha256:e231349fdf394a570e0cb84fe5109bc6980f52b84dd219fcae9922922a715d7d"},"type":"cosign container image signature"},"optional":{"tag":"1.0.0"}},{"critical":{"identity":{"docker-reference":"registryXYZ.azurecr.io/example-func"},"image":{"docker-manifest-digest":"sha256:e231349fdf394a570e0cb84fe5109bc6980f52b84dd219fcae9922922a715d7d"},"type":"cosign container image signature"},"optional":null}]
But when I use the created public certificate, the result is as follows:
cosign verify -key cosign.pub registryXYZ.azurecr.io/example-func:1.0.0
using embedded fulcio certificate. did you run `cosign init`? error retrieving target: missing target metadata: tuf: no root keys found in local meta store
error: no matching signatures:
failed to verify signature
failed to verify signature
I also exported the key again and tried to reproduce, with the same result:
cosign public-key -key azurekms://ckeyvaultXYZ.azure.net/cosign > cosign-new.pub
cosign verify -key cosign-new.pub registryXYZ.azurecr.io/example-func:1.0.0
using embedded fulcio certificate. did you run `cosign init`? error retrieving target: missing target metadata: tuf: no root keys found in local meta store
error: no matching signatures:
failed to verify signature
failed to verify signature
Is there anything I did wrong or is there a bug in the verification? Earlier I added also some comments to #399, when the feature was still under active development.
cosign version
GitVersion: v1.1.0
GitCommit: 67934a685ddc83aa7b0b8a55c911e299117afac5
GitTreeState: clean
BuildDate: '2021-08-25T21:51:14Z'
GoVersion: go1.17
Compiler: gc
Platform: darwin/arm64
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (10 by maintainers)
Commits related to this issue
- Bump sigstore/sigstore to pickup a fix for azure kms. This fixes #589 finally! Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> — committed to dlorenc/cosign by dlorenc 3 years ago
- Bump sigstore/sigstore to pickup a fix for azure kms. (#1011) This fixes #589 finally! Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> — committed to sigstore/cosign by deleted user 3 years ago
We can probably cut a 1.3.1 this week. WDYT @dekkagaijin and @cpanato?
@dlorenc @cpanato
thank you for getting back to me, here are some more details:
I created the azure key with the built in cosign command.
The interesting part is, that the verify via the KMS command works, while using the local public key does not work.
This is the public certificate I try to verify with: