sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.49k stars 547 forks source link

how does the Sign and attach a certificate and certificate chain work #3928

Open sidYana opened 6 days ago

sidYana commented 6 days ago

Question I am confused on how the Sign and attach a certificate and certificate chain part works

We have a custom CA which generates our certs. I generated a cert and tried using it for the signing process thinking that the cert would provide some extra features like validity check etc

but what i noticed is irrespective of if i provide the cert or not during signing, the verify cmd does not care and it just checks if the key is provided or not

what is exactly happening here?

below is 1 of the output ` $ cosign sign --key cosign.key IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --cert cert.crt --cert-chain chain.crt --insecure-ignore-tlog ${IMAGE_NAME_AND_TAG} WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:

something similar when we sign and attach a cert but dont verify with that cert

` $ cosign sign --key cosign.key --cert cert.crt --cert-chain chain.crt IMAGE_NAME_AND_TAG@digest --tlog-upload=false Pushing signature to: IMAGE_NAME_AND_TAG $ cosign public-key --key cosign.key > cosign.pub $ cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_NAME_AND_TAG WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for IMAGE_NAME_AND_TAG -- The following checks were performed on each of these signatures:

i want to know what is the use of attaching the cert and why in this case the cert is not verified or checked

sidYana commented 1 day ago

Hi Team, any info on this will be appreciated