cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

cosign cli doesn't recognize `.../cryptoKeyVersions/$KEY_VERSION`

Open chuangw6 opened this issue 3 years ago • 5 comments
trafficstars

I want to use cosign cli to verify a signature that was generated using sigstore pkg with a gcp kms ref gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION.

export KEY_REF=gcpkms://projects/chuangw-test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1
cosign verify-blob --key $KEY_REF --signature signature signature

However, I got an error.

Error: verifying blob [signature]: loading public key: open gcpkms:/projects/chuangw-test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1: no such file or directory
main.go:46: error during command execution: verifying blob [signature]: loading public key: open gcpkms:/projects/chuangw-test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1: no such file or directory

If I changed the KEY_REF from .../cryptoKeyVersions/1 to .../versions/1, the cli verification works. If the version part /cryptoKeyVersions/1 is completely removed from the KEY_REF, the cli verification also works.

I am wondering if the verification with ../cryptoKeyVersions/$KEY_VERSION is intentionally not supported by cosign cli or it is a bug. Thanks!

chuangw6 avatar Jul 22 '22 18:07 chuangw6

I see in the error output it's prefixed with gcpkms:/ instead of gcpkms://. If you add an extra slash, do you still get the error?

haydentherapper avatar Aug 02 '22 19:08 haydentherapper

I see in the error output it's prefixed with gcpkms:/ instead of gcpkms://. If you add an extra slash, do you still get the error?

Hi @haydentherapper ,

The key ref in the cosign verify-blob --key starts with gcpkms:// rather than gcpkms:/. Don't know why in the error it complainsgcpkms:/.

chuangw6 avatar Aug 02 '22 20:08 chuangw6

To summarize working v.s. not-working key ref for signing & verification

For verification, cosign verify-blob --key $KEY_REF --signature ... is used.

  1. no version specified gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY ✅ works for signing ✅ works for cosign verification

  2. version specified using cryptoKeyVersions gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION ✅ works for signing ❌ doesn't work for cosign verification (see the error in the issue description)

  3. version specified using versions gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION ✅ works for signing ✅ works for cosign verification

chuangw6 avatar Aug 03 '22 21:08 chuangw6

cc @cdris

haydentherapper avatar Aug 04 '22 18:08 haydentherapper

@chuangw6 what version of cosign are you using?

I think https://github.com/sigstore/sigstore/commit/21bce79303a006ad3abd26c368ba3946061d6679 fixes this, and was added to cosign in v0.10.0

The gcpkms:/ behavior looks like cosign trying to interpret the string as a file path after the GCP KMS regex didn't match.

wlynch avatar Aug 18 '22 14:08 wlynch

I think this is a bad error message; see https://github.com/sigstore/cosign/pull/2220

znewman01 avatar Sep 03 '22 00:09 znewman01

I'm closing this, as I believe between #2220 (better error message) and https://github.com/sigstore/sigstore/pull/359 the issue is resolved. Please reopen if you're seeing this again.

znewman01 avatar Sep 04 '22 21:09 znewman01