cosign doesn't take certificate for verification

[omkhard]

Hi , I was trying out the cosign verify --key cosign.pub $IMAGE:$TAG --insecure-ignore-tlog=true it did the verification , but when i am passing inter1.crt , where inter1.crt is the certificate which also contains the cosign.pub part .

So my question/issue/need is , Could we make --key tag(argument) to take .crt or certificate(s) as well so it will make ease in our workflow of Container Image Verifying using x509 certs , such that the customers trust also remains maintained .

My Workflow

self signed root key & certs: dev-key.pem (private key) and dev.crt (certificate)

created a pair of leaf keys with root keys inter1.key (private) inter1.csr (signing req)

created inter1.crt with csr , dev-key.pem(root private key) and dev.crt (root certificate) So it becomes a chain of trust till leaf.

Now,

Imported the inter1.key as cosign.key and cosign.pub

and when I am going for verify I want to pass the entire chain(or also just signer certificate could be enough) of trust instead just cosign.pub .

ERRORS I am getting when passing the cert in --key:

root@okhardubuntu:/home/ubuntu/cosignKeyws/selfSignedRoot# cosign verify --key inter1.crt   $IMAGE:$TAG   --insecure-ignore-tlog=true --certificate inter1.crt
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: loading public key: pem to public key: unknown Public key PEM file type: CERTIFICATE. Are you passing the correct public key?
main.go:74: error during command execution: loading public key: pem to public key: unknown Public key PEM file type: CERTIFICATE. Are you passing the correct public key?

Important :

Image is being signed with cosign.key

cosign.key is created using , COSIGN_PASSWORD="" cosign import-key-pair --key inter1.key --output-key-prefix=cosign -y