Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how does the Sign and attach a certificate and certificate chain work #3928

Open
sidYana opened this issue Nov 8, 2024 · 1 comment
Open

how does the Sign and attach a certificate and certificate chain work #3928

sidYana opened this issue Nov 8, 2024 · 1 comment
Labels
question Further information is requested

Comments

@sidYana
Copy link

sidYana commented Nov 8, 2024
edited
Loading

Question
I am confused on how the Sign and attach a certificate and certificate chain part works

We have a custom CA which generates our certs. I generated a cert and tried using it for the signing process thinking that the cert would provide some extra features like validity check etc

but what i noticed is irrespective of if i provide the cert or not during signing, the verify cmd does not care and it just checks if the key is provided or not

what is exactly happening here?

below is 1 of the output
`
$ cosign sign --key cosign.key IMAGE_NAME_AND_TAG@digest --tlog-upload=false
Pushing signature to: IMAGE_NAME_AND_TAG
$ cosign public-key --key cosign.key > cosign.pub
$ cosign verify --key cosign.pub --cert cert.crt --cert-chain chain.crt --insecure-ignore-tlog ${IMAGE_NAME_AND_TAG}
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for IMAGE_NAME_AND_TAG --
The following checks were performed on each of these signatures:

  • The cosign claims were validated
  • The signatures were verified against the specified public key
    [{"critical":{"identity":{"docker-reference":"IMAGE_NAME"},"image":{"docker-manifest-digest":"sha256:12ac9989d832da2e35052d8d8ef5f27f1eb7e85a260326d484a949c300a6fa"},"type":"cosign container image signature"},"optional":null}]
    `

something similar when we sign and attach a cert but dont verify with that cert

`
$ cosign sign --key cosign.key --cert cert.crt --cert-chain chain.crt IMAGE_NAME_AND_TAG@digest --tlog-upload=false
Pushing signature to: IMAGE_NAME_AND_TAG
$ cosign public-key --key cosign.key > cosign.pub
$ cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_NAME_AND_TAG
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for IMAGE_NAME_AND_TAG --
The following checks were performed on each of these signatures:

  • The cosign claims were validated
  • The signatures were verified against the specified public key
    [{"critical":{"identity":{"docker-reference":"IMAGE_NAME_AND_TAG"},"image":{"docker-manifest-digest":"sha256:02ae9710e2a6c32ff714f27e5f3ade6412ff513f1d4556f37c96c3f2140bc8"},"type":"cosign container image signature"},"optional":{"Subject":""}}]
    `

i want to know what is the use of attaching the cert and why in this case the cert is not verified or checked
@sidYana sidYana added the question Further information is requested label Nov 8, 2024
@sidYana
Copy link
Author

sidYana commented Nov 13, 2024

Hi Team, any info on this will be appreciated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sidYana