Cosign cannot verify signatures generated with RSA keys

[cperlman]

Description

We are hosting our own Sigstore and have deployed both Rekor and Fulcio with RSA keys hosted in AWS. We are not signing container images but exclusively blobs through e.g.

cosign sign-blob <blob> --identity-token <token> --rekor-url <rekor_url> --fulcio-url <fulcio_url>

This works as expected and verifying generated signatures with openssl is not a problem.

However, when attempting to verify the generated signatures with Cosign, things fail with <key id> is not type ecdsa.PublicKey.

If you can sign with RSA I would argue that you should also be able to verify with RSA.

Version
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion: v2.4.1-2-gc7d04ba7
GitCommit: c7d04ba
GitTreeState: clean
BuildDate: 2024-10-06T13:50:27Z
GoVersion: go1.22.7
Compiler: gc
Platform: darwin/arm64

[bobcallaway]

Can you share the SigningAlgorithmSpec you're using with your AWS KMS RSA key?

[cperlman]

Can you share the SigningAlgorithmSpec you're using with your AWS KMS RSA key?

RSASSA_PKCS1_V1_5_SHA_256

fwiw we validate with

cosign verify-blob <blob> --certificate-identity-regexp "..." --certificate-oidc-issuer "..." --certificate "..." --signature "..." --rekor-url="..."