--certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
sagikazarmark opened this issue · comments
The commands in the README for blob verification do not work with cosign 2.0. They fail with the following error:
--certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
I'm still trying to figure out what I'm doing wrong, but I thought I'd open an issue early in case this is a known issue or in case someone else faces the same problem.
cc/ @cpanato I looked into it but also don't understand why its broken... can you help?
it seems that something like this works for things signed with newer versions of cosign:
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--certificate-identity 'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert https://github.com/goreleaser/goreleaser-pro/releases/download/nightly/checksums.txt.pem \
--signature https://github.com/goreleaser/goreleaser-pro/releases/download/nightly/checksums.txt.sig \
https://github.com/goreleaser/goreleaser-pro/releases/download/nightly/checksums.txt
Verified OKthings signed with old versions don't work, though:
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--certificate-identity 'https://github.com/goreleaser/supply-chain-example/.github/workflows/release.yml@refs/tags/v1.2.0' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.pem \
--signature https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.sig \
https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt
Error: verifying blob [https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt]: certificate does not include required embedded SCT and no detached SCT was set
main.go:74: error during command execution: verifying blob [https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt]: certificate does not include required embedded SCT and no detached SCT was set@cpanato is this the recommended way? is there another?
thanks!
I've been trying to look for an issue on cosign's issue tracker, but either noone has a problem with this or 2.0 is so new that nobody really uses it yet.
for that you will need to set --insecure-ignore-sct
$ cosign verify-blob \
--certificate-identity 'https://github.com/goreleaser/supply-chain-example/.github/workflows/release.yml@refs/tags/v1.2.0' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.pem \
--signature https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.sig \
--insecure-ignore-sct \
https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt
Verified OK
also you can drop the COSIGN_EXPERIMENTAL=1 it is not required for 2.0.0 release
ah nice, thank you @cpanato!
@cpanato do you know why these options are necessary in the first place. Seems rather inconvenient to me and makes me question the usefulness of keyless signatures.
Are they always going to be required?
I managed to read a bit more about this, but boy the context is hidden deep in issues. I guess it makes sense....still, it feels like this change wasn't prepared enough.