Closed ThomasPorterAVEVA closed 10 months ago
Does https://github.com/sigstore/cosign/pull/3334 resolve this?
I will configure that and give it a shot!
Heck yes, this does exactly what is needed, crazy how it just was added to the latest version. Thank you so much for pointing it out!
For anyone watching this from the future, I did an export to set that flag and it all works now!
export COSIGN_PKCS11_IGNORE_CERTIFICATE=1
Description
Overview
It appears that when using a Virtual PKCS#11 Token, such as those provided by service providers like DigiCert to communicate with a Hardware Security Module (HSM), cosign does not push the public key to Rekor. Instead the full public certificate is stored, which confuses cosign on verification on the image consumer's end.
It seems to stem from this area of the code where, if the public certificate is available, the public certificate is uploaded to Rekor instead of the public key: https://github.com/sigstore/cosign/blob/173f547a4e34c3dbb477f85e97da1aeba380b29d/internal/pkg/cosign/rekor/signer.go#L77
Granted, the error message makes sense: validating against Rekor doesn't work because a public key is being compared to a public certificate. However, we don't want to require consumers of our images to have the full public certificate, and it doesn't seem clear how that would work.
Disabling Rekor on both ends (
--tlog-upload=false
on signing andinsecure-ignore-tlog=true
on verification) works. However we don't want to do that if we don't have to, and the insecure messages will lead to more questions by our image consumers.I admit this may be user error somewhere, so any guidance on how to have customers validate with the public signature would be appreciated.
Thanks!
How to reproduce
Use cosign Sign an image using a Virtual PKCS#11 Token:
Use cosign to verify using same Virtual PKCS#11 Token:
Exporting the public key and attempting to verify on it directly has the same result:
Version
Version of ubuntu and cosign