Open akorp opened 1 year ago
hectorj2f
commented
1 year ago @akorp The expected format should be: cosign sign --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] <IMAGE DIGEST>. I assume you used AzureCli to login and access your Azure key vault.
akorp
commented
1 year ago @hectorj2f yes, we use az acr login to login before running cosign.
Was the format changed recently? If we use the values as they are given in the Azure portal, the azurekms value will be quite strange:
VAULT_NAME=testkeyvault
VAULT_URI=https://testkeyvault.vault.azure.net/
KEY=testkey1
cosign sign --key azurekms://testkeyvaulthttps://testkeyvault.vault.azure.net/testkey1
hectorj2f
commented
1 year ago I assume there is a problem and it should only use the VAULT_URI/KEY
LindaArende
commented
1 year ago In our team today we discovered exactly the same issue and confusion about the documentation, which is already pointed out about the weird structure of key url. Previously VAULT_URI/KEY worked fine without issues. Nothing in the 2.1 release changelog made me think that new release would affect sign command, but here we are.
akorp
commented
1 year ago We mitigated downgrading to v2.0.2, but will be nice to have more info if the new format a bug or feature 😄
hectorj2f
commented
1 year ago It could be related to the upgrade of the dependencies, so we might need to update the docs.
haydentherapper
commented
1 year ago cc @malancas
malancas
commented
1 year ago This looks like a bug, there were no format changes introduced. I will take a look into this soon and post an update when a fix is available. Thanks for filing an issue.
Description
Fail to get public key from Azure key vault on cosign version
v2.1.0.Seems like a malformed url for fetching a key
https://<key-vault>.vault.azure.net/keys/https://<key-vault>.vault.azure.net//<key>instead ofhttps://<key-vault>.vault.azure.net/keys/<key>Version
https://github.com/sigstore/cosign/releases/download/v2.1.0/cosign-linux-amd64