Cosign verify does not work with only certificate and certificate chain

[vishal-chdhry]

Description

Cosign verify displays an example where the user can pass an image with certificate and certchain. But that example does not work on v2.2.4 and main. It detects keyless verification and ask for identity flags:

$ ./cosign verify -h
Verify signature and annotations on an image by checking the claims
against the transparency log.

Usage:
cosign verify [flags]

Examples:
  ...

  # verify image with local certificate and certificate chain
  cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE>

  ...

$ ./cosign verify --cert cosign.crt --cert-chain chain.crt nginx
Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

Expected Behaviour

Cosign verify should work with only cert and cert chain.

Version

Built from main

 $ ./cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.2.4-39-gd275a272
GitCommit:     d275a272ec0cdf5a4c22d01b891a4d7e20164d71
GitTreeState:  clean
BuildDate:     2024-06-03T17:11:36Z
GoVersion:     go1.22.2
Compiler:      gc
Platform:      darwin/arm64

[haydentherapper]

This is working as intended. Certificates should conform to Fulcio's certificate profile which means that an identity should be included. Otherwise, we expect that the key will be extracted from the certificate and passed to Cosign for signature verification.