search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.23k stars 506 forks source link

Keyless verification with Bring Your Own Public Key Infrastructure (BYOPKI) #3699

Closed saschagrunert closed 1 month ago

saschagrunert commented 1 month ago

Question

Hey folks, I'm working on a BYOPKI verification example in: https://github.com/saschagrunert/byopki/blob/main/run

It does:

  1. Generate a CA, intermediate CA and leaf certificate using cfssl: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L23-L164
  2. Start a container registry and build+push a demo image: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L166-L174
  3. Use cosign generate and cosign attach to sign the image: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L178-L189
  4. Verify the image using cosign verify … --key, which works: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L191-L195
  5. Attempts a keyless verification using `cosign verify … --cert-chain, which fails: https://github.com/saschagrunert/byopki/blob/ad923ea/run#L197-L203

With:

> Verify signature keyless
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:69: error during command execution: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

Setting SIGSTORE_ROOT_FILE to the CA or full chain does not help either. Am I missing something?

I'm using cosign v2.2.4 right now.

haydentherapper commented 1 month ago

You've specified no extended key usages using cfssl, it should be "code signing" for the leaf certificate. Ref: https://github.com/sigstore/cosign/blob/121115774e8c662648165f2924e7354292365ae8/pkg/cosign/verify.go#L1340

Your key usages are also overspecified, the root only needs "cert sign" (and possibly "crl sign" if you're issuing CRLs), same with the intermediate. The intermediate also must specify "code signing" per EKU chaining.

saschagrunert commented 1 month ago

We have this tutorial which outlines how it can be done: https://linuxera.org/signing-verifying-container-images-with-cosign-own-pki/