cosign sign: the error message of passing mis-ordered CA chain is not clear (misleading).

[zhaoyonghe]

trafficstars

Description

I met this error when trying cosign sign.

$ COSIGN_PASSWORD="" ./cosign sign --upload=true --tlog-upload=false --certificate-chain staging_ca_bundle.pem --key import-cosign.key --cert cert --timestamp-server-url https://tsa.enforce.dev/api/v1/timestamp haskell@sha256:f33e8cb119fd5b436c39a3f45000bf732bce8e2ac71553ac5d307c10d01418ba

Error: signing [haskell@sha256:f33e8cb119fd5b436c39a3f45000bf732bce8e2ac71553ac5d307c10d01418ba]: getting signer: unable to validate certificate chain: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:74: error during command execution: signing [haskell@sha256:f33e8cb119fd5b436c39a3f45000bf732bce8e2ac71553ac5d307c10d01418ba]: getting signer: unable to validate certificate chain: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

The root cause is that I did not permutate the CA cert chain following the instruction:

$ ./cosign sign --help | grep root                                                                                                    
      --certificate-chain string                                                                 path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature

staging_ca_bundle.pem includes 13 self-signed root CA certs for different environments. There is no intermediate CA. The code signing cert is directly signed by one of the root CAs and that CA cert is in the second place in staging_ca_bundle.pem (1 cert above and 11 certs below). After I delete other root CA certs or put that cert to the bottom, it works.

The error message is a little bit misleading because cosign sign does not load SIGSTORE_ROOT_FILE anywhere (only loaded in cosign verify).

More info: https://sigstore.slack.com/archives/C01PZKDL4DP/p1682632649714239

/cc @znewman01 @haydentherapper

Version

GitVersion: v2.0.2-10-gef1b2a02 GitCommit: ef1b2a02076550980c5e3a5cd8b95f1ad72b52c0 GitTreeState: clean BuildDate: 2023-04-27T21:35:22Z GoVersion: go1.19.3 Compiler: gc Platform: darwin/amd64

[znewman01]

The longer-term fix is to clarify how --certificate-chain and friends work. It will probably happen as part of this issue: https://github.com/sigstore/cosign/issues/2472

The error message should get fixed regardless! It mentions $SIGSTORE_TRUST_ROOT but comes from a part of the code that doesn't use $SIGSTORE_TRUST_ROOT. And then we could be more specific about what failed. For instance, if the error was "validating certificate chain (from --certificate-chain) failed because ..." this would be much easier to debug.

[haydentherapper]

The root cause is that --certificate-chain is not a bundle, it's the chain to verify --certificate. The chain should be compromised of PEM-encoded certificates starting with the intermediate and ending with the root. See the help text, path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature

On verification, you can specify SIGSTORE_ROOT_FILE pointing to a bundle to N roots and intermediates, and it will properly split up the certs accordingly.

The error message is because it was picking the wrong root to verify the provided certificate (which it does on signing, to make sure the chain is valid).