search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.49k stars 547 forks source link

--insecure-ignore-sct possibly broken when verifying keyless sig #3514

Closed willarmiros closed 9 months ago

willarmiros commented 9 months ago

Description

I have been following this blog to run a sigstore setup including Rekor, Fulcio, and TUF locally. Everything has worked ok until I try to verify a signature.

I sign a blob using:

COSIGN_EXPERIMENTAL=1 cosign sign-blob --fulcio-url http://localhost:5555 --rekor-url http://localhost:3000 --insecure-skip-verify --output-certificate local.cert --output-signature local.sig  my_file

I then try to verify the signature like so:

COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert local.cert --rekor-url http://localhost:3000 --signature local.sig --certificate-identity <my_email> --certificate-oidc-issuer https://github.com/login/oauth --insecure-ignore-sct  my_file

This gives the following error:

**Warning** Missing fallback target fulcio_v1.crt.pem, skipping
**Warning** Missing fallback target fulcio_intermediate_v1.crt.pem, skipping
**Warning** Missing fallback target ctfe.pub, skipping
Error: getting ctlog public keys: no matching targets by custom metadata, fallbacks not found: ctfe.pub
main.go:74: error during command execution: getting ctlog public keys: no matching targets by custom metadata, fallbacks not found: ctfe.pub

I would expect that passing --insecure-ignore-sct would prevent such an error, since as the blog tutorial suggested I am NOT running a CT server. I saw #3386 and was able to confirm that the signing & verifying works with my setup using normal public/private keypairs, so I think maybe a similar bug exists for the keyless logic?

Version

GitVersion:    2.2.2
GitCommit:     bf6b57bc3edf8deb7e225e4dbd2d26c0d432979b
GitTreeState:  "clean"
BuildDate:     2023-12-05T18:59:25Z
GoVersion:     go1.21.4
Compiler:      gc
Platform:      darwin/arm64
haydentherapper commented 9 months ago

We're cutting a new release of Cosign tomorrow which includes https://github.com/sigstore/cosign/pull/3427 which I believe should fix this

haydentherapper commented 9 months ago

@willarmiros Can you confirm the new release fixed this for you?

willarmiros commented 9 months ago

@haydentherapper I can confirm with cosign 2.2.3 it works now, thanks!