cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

x509: cannot verify signature: insecure algorithm SHA1-RSA

Open imjasonh opened this issue 3 years ago • 6 comments

Description

From head (95b74db89941e8ec85e768f639efd4d948db06cd)

$ go test ./pkg/cosign/
--- FAIL: TestValidateAndUnpackCertWithSCT (0.00s)
    verify_test.go:457: ValidateAndUnpackCert expected no error, got err = x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Certificate Transparency CA")
    verify_test.go:464: ValidateAndUnpackCert expected no error, got err = x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Certificate Transparency CA")
FAIL
FAIL	github.com/sigstore/cosign/pkg/cosign	1.422s
FAIL

Adding the GODEBUG as suggested makes the test pass:

GODEBUG=x509sha1=1 go test ./pkg/cosign/
ok  	github.com/sigstore/cosign/pkg/cosign	1.367s

$ go version
go version go1.18.2 darwin/arm64

Mostly filing this since I couldn't find any other reference to this in issues or code in any sigstore repo. Has anybody seen this before

edit: see https://github.com/golang/go/issues/41682

imjasonh avatar Jul 22 '22 13:07 imjasonh

Looking into this. Interestingly it fails on 1.18, but not 1.19.

Hayden-IO avatar Aug 02 '22 23:08 Hayden-IO

Need to generate new test data for certificate-transparency-go that doesn't use SHA1 for the signing algorithm digest.

Hayden-IO avatar Aug 02 '22 23:08 Hayden-IO