Closed saschagrunert closed 1 month ago
You've specified no extended key usages using cfssl, it should be "code signing" for the leaf certificate. Ref: https://github.com/sigstore/cosign/blob/121115774e8c662648165f2924e7354292365ae8/pkg/cosign/verify.go#L1340
Your key usages are also overspecified, the root only needs "cert sign" (and possibly "crl sign" if you're issuing CRLs), same with the intermediate. The intermediate also must specify "code signing" per EKU chaining.
We have this tutorial which outlines how it can be done: https://linuxera.org/signing-verifying-container-images-with-cosign-own-pki/
Question
Hey folks, I'm working on a BYOPKI verification example in: https://github.com/saschagrunert/byopki/blob/main/run
It does:
cosign generate
andcosign attach
to sign the image: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L178-L189cosign verify … --key
, which works: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L191-L195With:
Setting
SIGSTORE_ROOT_FILE
to the CA or full chain does not help either. Am I missing something?I'm using cosign v2.2.4 right now.