cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

"Chain" for verification is confusingly named

Open znewman01 opened this issue 2 years ago • 4 comments

See helpful context: https://github.com/sigstore/cosign/pull/2461#discussion_r1024644134_

The verify-* commands have this argument:

--certificate-chain string: path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate

We automatically trust any provided chain here. That's a reasonable behavior, if you're trying to specify a trust root.

However, when I see a flag named --certificate-chain I assume that it's just something I provide to link the cert back up to a default trust root! It feels eminently reasonable to me to download a certificate and a chain alongside a signature, and want to pass that in.

Can we rename this to something like --ca-trust-root or --root-ca and then just specify in the help text that accepts a certificate or a chain of certs?

znewman01 avatar Nov 18 '22 14:11 znewman01