Question
I am confused on how the Sign and attach a certificate and certificate chain part works
We have a custom CA which generates our certs. I generated a cert and tried using it for the signing process thinking that the cert would provide some extra features like validity check etc
but what i noticed is irrespective of if i provide the cert or not during signing, the verify cmd does not care and it just checks if the key is provided or not
what is exactly happening here?
below is 1 of the output
`
$ cosign sign --key cosign.key IMAGE_NAME_AND_TAG@digest --tlog-upload=false
Pushing signature to: IMAGE_NAME_AND_TAG
$ cosign public-key --key cosign.key > cosign.pub
$ cosign verify --key cosign.pub --cert cert.crt --cert-chain chain.crt --insecure-ignore-tlog ${IMAGE_NAME_AND_TAG}
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for IMAGE_NAME_AND_TAG --
The following checks were performed on each of these signatures:
The cosign claims were validated
The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"IMAGE_NAME"},"image":{"docker-manifest-digest":"sha256:12ac9989d832da2e35052d8d8ef5f27f1eb7e85a260326d484a949c300a6fa"},"type":"cosign container image signature"},"optional":null}]
`
something similar when we sign and attach a cert but dont verify with that cert
`
$ cosign sign --key cosign.key --cert cert.crt --cert-chain chain.crt IMAGE_NAME_AND_TAG@digest --tlog-upload=false
Pushing signature to: IMAGE_NAME_AND_TAG
$ cosign public-key --key cosign.key > cosign.pub
$ cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_NAME_AND_TAG
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for IMAGE_NAME_AND_TAG --
The following checks were performed on each of these signatures:
The cosign claims were validated
The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"IMAGE_NAME_AND_TAG"},"image":{"docker-manifest-digest":"sha256:02ae9710e2a6c32ff714f27e5f3ade6412ff513f1d4556f37c96c3f2140bc8"},"type":"cosign container image signature"},"optional":{"Subject":""}}]
`
i want to know what is the use of attaching the cert and why in this case the cert is not verified or checked
Question I am confused on how the Sign and attach a certificate and certificate chain part works
We have a custom CA which generates our certs. I generated a cert and tried using it for the signing process thinking that the cert would provide some extra features like validity check etc
but what i noticed is irrespective of if i provide the cert or not during signing, the verify cmd does not care and it just checks if the key is provided or not
what is exactly happening here?
below is 1 of the output ` $ cosign sign --key cosign.key IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --cert cert.crt --cert-chain chain.crt --insecure-ignore-tlog ${IMAGE_NAME_AND_TAG} WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:
something similar when we sign and attach a cert but dont verify with that cert
` $ cosign sign --key cosign.key --cert cert.crt --cert-chain chain.crt IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_NAME_AND_TAG WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:
i want to know what is the use of attaching the cert and why in this case the cert is not verified or checked