Hayden B
Hayden B
I was interested in making changes around this, thanks for bringing this up! I'd prefer a new flag `--chain` to specify a certificate chain. That can be a concatenated chain...
> What you're describing with TUF makes sense for command line verification. However for something like kyverno policy, I'm not entirely sure it's needed. The ability to provide policy configuration...
I can work on this later this week, unless @bburky was planning to work on this.
I'll split this change into two - The first will add support for intermediate certs for those using the Cosign library. For adding support for verification using flags, I'd like...
I'm walking back the earlier comment about not allowing the root certificate to be specified. With the assumptions the code currently makes, it's assumed that Fulcio, Rekor and TUF usage...
All PRs have been submitted now. If there's any issues, in particular with PKCS11 tokens, let me know!
I can add support to `sign-blob` too, but it would just be for verifying the certificate chain. For `sign` with a custom certificate chain, we verify the chain, but also...
Totally reasonable! I'll take a look at adding this. When I've been testing out Fulcio locally, I either provide the insecure flag, or set up a local TUF repository.
Looked into adding this - A couple of thoughts: * Mirroring `cosign sign`, we could add support for `--cert` and `--chain`, but that would only be for a key delivery...
Will take a look! At a glance, my guess is the correct intermediate is not being found, but it might be something else.