file output of --output-certificate is base64 encoded (badly?), but the decoded contents is just a b64 pem file.

[patflynn]

When running COSIGN_EXPERIMENTAL=1 cosign sign-blob foo.bin --output-signature sig --output-certificate foo.pem

I found that the contents of foo.pem was:

➜  signing-playground cat service.pem
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQWltZ0F3SUJBZ0lVYm94bjh0dnpHMkhvWVdpQlVnb2xwTmF3dHhrd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJd05qRTNNVE14T0RRM1doY05Nakl3TmpFM01UTXlPRFEzV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJMnZza3RHS0lMbldVTjZDeTYyVlNFenFDcjkvSmNPc2g5M28KclVMa1NtZkZTRWxaTmhrRWJCVW5iRGpoOWxSTGxPeFNSUWRtTjdubEU4cGErVlI4MzZPQ0FVZ3dnZ0ZFTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVU3cXdFCnJuOW1oYWIwdGJkSHZ2a1gyRVFQTXBVd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0pBWURWUjBSQVFIL0JCb3dHSUVXY0dGMGNtbGphMEJqYUdGcGJtZDFZWEprTG1SbGRqQXBCZ29yQmdFRQpBWU8vTUFFQkJCdG9kSFJ3Y3pvdkwyRmpZMjkxYm5SekxtZHZiMmRzWlM1amIyMHdnWXNHQ2lzR0FRUUIxbmtDCkJBSUVmUVI3QUhrQWR3QUlZSkx3S0ZML2FFWFIwV3NuaEp4Rlp4aXNGajNET05KdDVyd2lCalp2Y2dBQUFZRngKMFBESUFBQUVBd0JJTUVZQ0lRQ3RVTUtyU0lXT3B6U2ZHOU1iTGV3UFQycXlhS1g0bFFYa056ZmpQeDRzRHdJaApBTXpuQVlibVM0Tk43ZXpRM1JTby80ZXNzdlplVG13UkRnZjBVWlBRbmFaRE1Bb0dDQ3FHU000OUJBTURBMmdBCk1HVUNNSE45Nyt2R1BqQmxVSUQwbzliN2tmTEVSejc2YTBkcTVvVENDUVJHS0lpV0thTTJkczN5cHphQmh0ZmYKbTRqRFJ3SXhBT2JoOGtTM3dhL0VsdnY5VjJDenV6Nm9MNDlQcXpTQ0M3WG52TmNXVGFXdjE5UFFxZk9VTm1qSwoyRk54dzZMbDBBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=%

running this through base64 yields:

➜  signing-playground cat service.pem | base64 -d
parse error: Invalid numeric literal at line 1, column 11

removing the '%' character from the end and re-running yielded:

➜  signing-playground cat test.pem | base64 -d
-----BEGIN CERTIFICATE-----
MIICozCCAimgAwIBAgIUboxn8tvzG2HoYWiBUgolpNawtxkwCgYIKoZIzj0EAwMw
NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
cm1lZGlhdGUwHhcNMjIwNjE3MTMxODQ3WhcNMjIwNjE3MTMyODQ3WjAAMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEI2vsktGKILnWUN6Cy62VSEzqCr9/JcOsh93o
rULkSmfFSElZNhkEbBUnbDjh9lRLlOxSRQdmN7nlE8pa+VR836OCAUgwggFEMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU7qwE
rn9mhab0tbdHvvkX2EQPMpUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
ZD8wJAYDVR0RAQH/BBowGIEWcGF0cmlja0BjaGFpbmd1YXJkLmRldjApBgorBgEE
AYO/MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wgYsGCisGAQQB1nkC
BAIEfQR7AHkAdwAIYJLwKFL/aEXR0WsnhJxFZxisFj3DONJt5rwiBjZvcgAAAYFx
0PDIAAAEAwBIMEYCIQCtUMKrSIWOpzSfG9MbLewPT2qyaKX4lQXkNzfjPx4sDwIh
AMznAYbmS4NN7ezQ3RSo/4essvZeTmwRDgf0UZPQnaZDMAoGCCqGSM49BAMDA2gA
MGUCMHN97+vGPjBlUID0o9b7kfLERz76a0dq5oTCCQRGKIiWKaM2ds3ypzaBhtff
m4jDRwIxAObh8kS3wa/Elvv9V2Czuz6oL49PqzSCC7XnvNcWTaWv19PQqfOUNmjK
2FNxw6Ll0A==
-----END CERTIFICATE-----

So it left me wondering a couple of things. Why is there a % char at the end of the file output, and why not skip the base64 middle man and store the pem cert as-is?

[haydentherapper]

Looks like there's inconsistent behavior, cosign sign ... --output-certificate cert.pem does not base64 encode the output. We just need to fix it for sign-blob.

[SantiagoTorres]

I'm a little confused, because this outputs rekorBytes as-is https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/sign/sign_blob.go#L69

[haydentherapper]

This may have been to handle DER-encoded certificates, but we only return PEM-encoded.

[patflynn]

looks like the % char is some zsh output that I didn't know about

[SantiagoTorres]

The relevant lines in sign seem pretty much the same

[znewman01]

looks like the % char is some zsh output that I didn't know about

zsh (there are a few other shells that do this as well) uses % to distinguish between:

• (no %): the command you ran ended its output with a newline
• (%): the command you just ran did not terminate with a newline, but rather than start your prompt in the middle of the last line, I've automatically inserted a newline here