cosign
cosign copied to clipboard
Published
20 hours ago •
sigstore
sigstore
bug: x509 verification broken
Description
The documented x509 certificate verification isn't working as expected. This is broken in two different ways at HEAD (29360f6a3390d44dd8faef636dd0c3449a213c88) and v2.0.0-rc0
HEAD
$cosign verify --certificate-chain bundle.pem --certificate cert.pem $(cat image)
Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
main.go:63: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
v2.0.0-rc0
$ cosign verify --certificate-chain bundle.pem --certificate cert.pem $(cat image) --insecure-ignore-sct
Error: no matching signatures:
error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgC9YnGfLG1oNUg7qbVoI9RaCYNmU
SC8QYw9JCIEdkn+ySEfwRPMVwd8ljiSljFSvw9TWuqxj5WvOMU43wmO9jQ==
-----END PUBLIC KEY-----
, got -----BEGIN CERTIFICATE-----
MIICEzCCAbqgAwIBAgIRAKHhIO8ezAumM0UvolewscEwCgYIKoZIzj0EAwIwJDEi
MCAGA1UEAxMZTm90RnVsY2lvIEludGVybWVkaWF0ZSBDQTAeFw0yMzAxMTUyMjUz
NThaFw0yMzAxMTUyMjU5NThaMAwxCjAIBgNVBAMTATEwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQDOAZjN5VZ7wARVO7hoYvf4Ra/UROo/Img1bPIOk5jF1ha+sEp
duoZ3pKuw7Xv3QCqWWPNNYKr4X5OJoYAbubBo4HkMIHhMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUXVBLLUtgD8UljJXEkzXp
yH8aTywwHwYDVR0jBBgwFoAU5h1Is9hr/ITmJe3qM3aThHsfETAwNgYDVR0RBC8w
LYEPY29kZUBuZnNtaXRoLmNhhhpodHRwczovL2NvZGUubmZzbWl0aC5jYS8jMTBC
BgwrBgEEAYKkZMYoQAEEMjAwAgECBAVnaXRlYQQkZjQ5YzkwNmYtZGZiZC00NjI2
LWExMWEtMmQyODhlMjYzZmM2MAoGCCqGSM49BAMCA0cAMEQCICPQcmZ4/f+rnERW
a+nTuWcgVSne2X2IzSzAOrJggLh4AiBDKMzfsaDkxY8JAned38JScsA3I0C0tMGk
qivv/JB29w==
-----END CERTIFICATE-----
Version
- v2.0.0-rc0
- HEAD (29360f6a3390d44dd8faef636dd0c3449a213c88)
