sidYana
commented
2 weeks ago Hi Team, any info on this will be appreciated
Open sidYana opened 2 weeks ago
sidYana
commented
2 weeks ago Hi Team, any info on this will be appreciated
Question I am confused on how the Sign and attach a certificate and certificate chain part works
We have a custom CA which generates our certs. I generated a cert and tried using it for the signing process thinking that the cert would provide some extra features like validity check etc
but what i noticed is irrespective of if i provide the cert or not during signing, the verify cmd does not care and it just checks if the key is provided or not
what is exactly happening here?
below is 1 of the output ` $ cosign sign --key cosign.key IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --cert cert.crt --cert-chain chain.crt --insecure-ignore-tlog ${IMAGE_NAME_AND_TAG} WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:
something similar when we sign and attach a cert but dont verify with that cert
` $ cosign sign --key cosign.key --cert cert.crt --cert-chain chain.crt IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_NAME_AND_TAG WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:
i want to know what is the use of attaching the cert and why in this case the cert is not verified or checked