-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is the notation for verifying only takes the root certificate in truststore #910
Comments
@omkhard I believed you asked the same question on slack channel. As I commented in slack, would you mind checking this verification specification to see whether it helps answer your question. Thanks. |
these are the steps I am trying:
-> openssl req -x509 -newkey rsa:2048 -keyout root.key -out root.crt -days 365 -nodes -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=root" -config /root/.config/notation/localkeys/rootTmp.cnf
-> openssl req -out inter2.csr -newkey rsa:2048 -keyout inter2.key -nodes -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=inter2" -config ~ubuntu/ctrSign/tmp1.cnf
-> cat inter2.crt inter1.crt root.crt > concat.crt
Q: Are we not taking the entire chain for verification of an Image signed with the entire chain? |
Thanks @omkhard for providing these details. Yes, root CA certificates are stored in the trust store. You can check Notary Project trust store spec for details |
@omkhard The trust store is used to store trusted certificates. When you put root certificates in the trust store, that means you trust these roots. To answer your question, notation requires the entire chain for validation. The chain is stored in the signature envelope, which is added by the signer. |
This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
What is not working as expected?
We are giving the chain of certificates having from root certificate , intermediate certificate to leaf cert and giving leaf private key for signing , but during verification only root certificate in truststore and subject of leaf certificate is enough for signing.
My question is How is the integrity of leaf key is being verified with the leaf cert and where ? I looked there happens some (hash-algorithm) revocation and it creates a payload and verifies using it. May I get some more in depth knowledge about the Signer's public key integrity check ?
What did you expect to happen?
Explanation
How can we reproduce it?
Chain Signing/Verifying
Describe your environment
wget , OS : Linux , shell: bash
What is the version of your Notation CLI or Notation Library?
1.1.0
The text was updated successfully, but these errors were encountered: