-
Notifications
You must be signed in to change notification settings - Fork 539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for attaching cert and cert chain in attach command Git… #2602
Conversation
The PULL request provide the fix for the bug |
cmd/cosign/cli/verify/verify.go
Outdated
@@ -182,7 +184,30 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { | |||
keyRef := c.KeyRef | |||
certRef := c.CertRef | |||
|
|||
if !c.IgnoreSCT { | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have some tests for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi I have performed following test in end to end setup
Payload file used: payload.json
{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":null}
Signed base 64 signature file: payload64.sig
IfuEJzvBkypcSiNKmljQuerhwkz3lNh5R3yHJB+GEMteDTtnJ4FV+gOUk2KPnuP688IMwH2xtWqB
KvOrBlPjtnEWtW0bWYgMetcYW38tW0xzQpKjvQQRlb2Yp9q4pswdVesJCIKfiRgo6nKZIod22osx
0B1eXY0DlLysnQ8NQkYcM94NeJYJUOO2B8Hl+GBJpy/N4isQaCL6c7s8q+Gd/SQAjFfr8VjQrgWq
TbwgvhUDunikdcqAwfJZBhpOej3oOf3GgEcmpAsQaw0A8r3wE2FCDD52weIlSarjvHOifpHUIbUk
U4564d78u7cW+diiAhKNQCZTEmukiyFlmv3RbA==
Leaf Certificate: LeafCA.crt
-----BEGIN CERTIFICATE-----
MIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ
KoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw
M1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w
DAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG
A1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W
BLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06
e/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib
63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs
i/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW
j9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL
VQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw
CQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD
VQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh
cm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui
wuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k
ZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+
Vwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ
tTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz
QetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu
B3ZlZ7xhkqYB2vHjk2c=
-----END CERTIFICATE-----
Intermediate CA Certificate: intermediateCA.crt
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN
MjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z
EfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom
LCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C
UmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp
dwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3
bRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB
AAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF
MAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD
ggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt
e1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m
ff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e
n8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr
QTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz
2itq2p3qLmcxj+YguGUCLLL0K1c=
-----END CERTIFICATE-----
Root CA Certificate: rootCA.crt
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN
MjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa
MEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf
of+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5
wPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf
yFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn
dc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT
MFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB
xLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I
YyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95
+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE
uZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc
X7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A
FuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=
-----END CERTIFICATE-----
Cert Cain:
I created Cert chain by concatenating Intermediate CA Crt + root CA Crt
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN
MjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z
EfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom
LCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C
UmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp
dwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3
bRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB
AAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF
MAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD
ggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt
e1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m
ff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e
n8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr
QTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz
2itq2p3qLmcxj+YguGUCLLL0K1c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN
MjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa
MEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf
of+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5
wPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf
yFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn
dc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT
MFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB
xLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I
YyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95
+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE
uZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc
X7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A
FuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=
-----END CERTIFICATE-----
Now i performed following test using updated attach and verify command
Attach Test
Step 1: Attach the Signature, payload , cert and cert chain (including root cert) in Registry
C:\Users\musharma\Desktop\DemoJan13>cosign.exe attach signature --signature C:\Users\musharma\Desktop\DemoJan13\attachTest\payload64.sig --payload C:\Users\musharma\Desktop\DemoJan13\attachTest\payload.json --cert C:\Users\musharma\Desktop\DemoJan13\attachTest\leafCA.crt --cert-chain C:\Users\musharma\Desktop\DemoJan13\attachTest\certChain.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry
Step2: using triangulate command to fetch the link for associated signature
C:\Users\musharma\Desktop\DemoJan13>cosign triangulate harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig
Step 3: fetch the manifest to validate if manifest contains all the required content
C:\Users\musharma\Desktop\crane>crane manifest harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig --insecure
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 246,
"digest": "sha256:948bcd0bc30307e9877c7afffffc3a4ac1329eb11f506cd030424a4f33a4a51f"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 290,
"digest": "sha256:64efb696f2970c7bb90334c7c4414811d859800579e25b131236ee73b9d9b9ce",
"annotations": {
"dev.cosignproject.cosign/signature": "IfuEJzvBkypcSiNKmljQuerhwkz3lNh5R3yHJB+GEMteDTtnJ4FV+gOUk2KPnuP688IMwH2xtWqB\r\nKvOrBlPjtnEWtW0bWYgMetcYW38tW0xzQpKjvQQRlb2Yp9q4pswdVesJCIKfiRgo6nKZIod22osx\r\n0B1eXY0DlLysnQ8NQkYcM94NeJYJUOO2B8Hl+GBJpy/N4isQaCL6c7s8q+Gd/SQAjFfr8VjQrgWq\r\nTbwgvhUDunikdcqAwfJZBhpOej3oOf3GgEcmpAsQaw0A8r3wE2FCDD52weIlSarjvHOifpHUIbUk\r\nU4564d78u7cW+diiAhKNQCZTEmukiyFlmv3RbA==",
"dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ\nKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw\nM1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w\nDAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG\nA1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W\nBLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06\ne/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib\n63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs\ni/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW\nj9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL\nVQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw\nCQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD\nVQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh\ncm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud\nDwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui\nwuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k\nZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+\nVwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ\ntTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz\nQetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu\nB3ZlZ7xhkqYB2vHjk2c=\n-----END CERTIFICATE-----\n",
"dev.sigstore.cosign/chain": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN\nMjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z\nEfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom\nLCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C\nUmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp\ndwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3\nbRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB\nAAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF\nMAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD\nggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt\ne1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m\nff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e\nn8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr\nQTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz\n2itq2p3qLmcxj+YguGUCLLL0K1c=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN\nMjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa\nMEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf\nof+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5\nwPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf\nyFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn\ndc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT\nMFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB\nxLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL\nBQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I\nYyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95\n+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE\nuZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc\nX7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A\nFuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=\n-----END CERTIFICATE-----\n"
}
}
]
}
So we can see the cert and cert chain content is successfully attached in the Registry
Verify Test
Now on Verifier side we will just use to rootCert to validate the Cert-chain-> Cert and Signature present in the registry
Step1: Verify the Image using root cert.
C:\Users\musharma\Desktop\DemoJan13>cosign.exe verify --root-cert C:\Users\musharma\Desktop\DemoJan13\verifyTest\rootCA.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --insecure-ignore-sct --insecure-skip-tlog-verify --allow-insecure-registry harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Any certificates were verified against the Bring your own PKI roots.
[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":""}}]
So we can see the Signature Claims were verified.
Verify Test with wrong Root Certificate
This is a failure test case to prove if we pass a wrong root cert in verify command which does not matches with cert and cert chain stored in registry the Verification fails
C:\Users\musharma\Desktop\DemoJan13>cosign.exe verify --root-cert C:\Users\musharma\Desktop\DemoJan13\wrongRoot\WrongRoot.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --insecure-ignore-sct --insecure-skip-tlog-verify --allow-insecure-registry harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
Error: no matching signatures:
x509: certificate signed by unknown authority
main.go:62: error during command execution: no matching signatures:
x509: certificate signed by unknown authority
So we can see that the verification failed as expected. This test case prove that is some adversary modify the signature, cert, cert chain in registry but still verifier has the source of Trust as the Root Cert present with them and they can verify the content with that source of Trust.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also have this as unit and/or e2e tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added end to end test cases for the attach scenario
The new files added are
test/e2e_test_attach.sh : This file contains the test case logic to test attach use case and verify using env variable.
test/testdata/test_attach_certchain.pem: This file contains the certchain used in attach test case
test/testdata/test_attach_leafcert.pem: This file contains the Leaf cert used in attach test case
test/testdata/test_attach_private_key: This file contains private key of leaf certificate used for signing the payload for attach test case
test/testdata/test_attach_rootcert.pem: This file contains the root cert used in attach test case.
I am sharing the execution result of the test case
/home/mukul/cosignAttachonlycode/cosign>./test/e2e_test_attach.sh
- go build -o cosign ./cmd/cosign
- go build -o sget ./cmd/sget
++ mktemp -d -t cosign-e2e-attach.XXXX - tmp=/tmp/cosign-e2e-attach.lFrZ
- cp cosign /tmp/cosign-e2e-attach.lFrZ/
- cp sget /tmp/cosign-e2e-attach.lFrZ/
- cp ./test/testdata/test_attach_private_key /tmp/cosign-e2e-attach.lFrZ/private_key
- cp ./test/testdata/test_attach_leafcert.pem /tmp/cosign-e2e-attach.lFrZ/leafcert.pem
- cp ./test/testdata/test_attach_certchain.pem /tmp/cosign-e2e-attach.lFrZ/certchain.pem
- cp ./test/testdata/test_attach_rootcert.pem /tmp/cosign-e2e-attach.lFrZ/rootcert.pem
- pushd /tmp/cosign-e2e-attach.lFrZ
/tmp/cosign-e2e-attach.lFrZ ~/cosignAttachonlycode/cosign - pass=26924
- export COSIGN_PASSWORD=26924
- COSIGN_PASSWORD=26924
- SRC_IMAGE=busybox
++ crane digest busybox - SRC_DIGEST=sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
++ uuidgen
++ head -c 8
++ tr A-Z a-z - IMAGE_URI=ttl.sh/cosign-ci/d5d90e89
- crane cp busybox@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c ttl.sh/cosign-ci/d5d90e89:1h
2023/01/18 13:59:42 Copying from busybox@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c to ttl.sh/cosign-ci/d5d90e89:1h
2023/01/18 13:59:54 pushed blob: sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148
2023/01/18 13:59:59 pushed blob: sha256:205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a
2023/01/18 14:00:00 ttl.sh/cosign-ci/d5d90e89@sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754: digest: sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754 size: 528
2023/01/18 14:00:08 pushed blob: sha256:99ee43e96ff50e90c5753954d7ce2dfdbd7eb9711c1cd96de56d429cb628e343
2023/01/18 14:00:13 pushed blob: sha256:4c45e4bb3be9dbdfb27c09ac23c050b9e6eb4c16868287c8c31d34814008df80
2023/01/18 14:00:13 ttl.sh/cosign-ci/d5d90e89@sha256:dde8e930c7b6a490f728e66292bc9bce42efc9bbb5278bae40e4f30f6e00fe8c: digest: sha256:dde8e930c7b6a490f728e66292bc9bce42efc9bbb5278bae40e4f30f6e00fe8c size: 528
2023/01/18 14:00:22 pushed blob: sha256:a22ab831b2b2565a624635af04e5f76b4554d9c84727bf7e6bc83306b3b339a9
2023/01/18 14:00:24 pushed blob: sha256:b203a35cab50f0416dfdb1b2260f83761cb82197544b9b7a2111eaa9c755dbe7
2023/01/18 14:00:25 ttl.sh/cosign-ci/d5d90e89@sha256:4ff685e2bcafdab0d2a9b15cbfd9d28f5dfe69af97e3bb1987ed483b0abf5a99: digest: sha256:4ff685e2bcafdab0d2a9b15cbfd9d28f5dfe69af97e3bb1987ed483b0abf5a99 size: 527
2023/01/18 14:00:33 pushed blob: sha256:1d57ab16f681953c15d7485bf3ee79a49c2838e5f9394c43e20e9accbb1a2b20
2023/01/18 14:00:36 pushed blob: sha256:46758452d3eef8cacb188405495d52d265f0c3a7580dfec51cb627c04c7bafc4
2023/01/18 14:00:36 ttl.sh/cosign-ci/d5d90e89@sha256:77ed5ebc3d9d48581e8afcb75b4974978321bd74f018613483570fcd61a15de8: digest: sha256:77ed5ebc3d9d48581e8afcb75b4974978321bd74f018613483570fcd61a15de8 size: 528
2023/01/18 14:00:44 pushed blob: sha256:abaa813f94fdeebd3b8e6aeea861ab474a5c4724d16f1158755ff1e3a4fde8b0
2023/01/18 14:00:47 pushed blob: sha256:f78e6840ded1aafb6c9f265f52c2fc7c0a990813ccf96702df84a7dcdbe48bea
2023/01/18 14:00:48 ttl.sh/cosign-ci/d5d90e89@sha256:5e42fbc46b177f10319e8937dd39702e7891ce6d8a42d60c1b4f433f94200bd2: digest: sha256:5e42fbc46b177f10319e8937dd39702e7891ce6d8a42d60c1b4f433f94200bd2 size: 528
2023/01/18 14:00:56 pushed blob: sha256:9af22d424aada215bab8c43d48ba6c8e4ddae9018628ab2098f16520bfdcd6d8
2023/01/18 14:01:03 pushed blob: sha256:0b41f34c76745eef3d807afe679bea40ad0d84c1f109578ff017c870f2137589
2023/01/18 14:01:03 ttl.sh/cosign-ci/d5d90e89@sha256:1c8bbeaff20b74c3918ae3da99db0f0d8563adb33fcb346592e2882d82c28ab5: digest: sha256:1c8bbeaff20b74c3918ae3da99db0f0d8563adb33fcb346592e2882d82c28ab5 size: 528
2023/01/18 14:01:40 pushed blob: sha256:2bc9dea49d1a226db134bce761bfa89dd456109555c3ee4c490db84ad48d53b0
2023/01/18 14:01:57 pushed blob: sha256:7ef0bcd6b4899cdcc5d2c4e97aba3e60a0153a3201c1a9c810ed915975f3833e
2023/01/18 14:01:58 ttl.sh/cosign-ci/d5d90e89@sha256:e954aa43bc3d58a30a967d36b0b0ebf408eea4b1283106d2ca553b0243858d6b: digest: sha256:e954aa43bc3d58a30a967d36b0b0ebf408eea4b1283106d2ca553b0243858d6b size: 528
2023/01/18 14:02:06 pushed blob: sha256:93f830f96e6d4290268f3d7adb078a66ddc24c23dddbd4899fd72a8041a5a1c8
2023/01/18 14:02:11 pushed blob: sha256:95a526907ab34a09463a07cd768039ac815d433029f181a7731ef8dba3095bc4
2023/01/18 14:02:12 ttl.sh/cosign-ci/d5d90e89@sha256:db6ea0cbfcdfe2e7fff3f36b40c2c6ac27933977d71317b30c1905675ec29349: digest: sha256:db6ea0cbfcdfe2e7fff3f36b40c2c6ac27933977d71317b30c1905675ec29349 size: 528
2023/01/18 14:02:19 pushed blob: sha256:c3505dfdb7a6ef524d17d0ee391749f94de950c43642e3286e06172577e184a3
2023/01/18 14:02:24 pushed blob: sha256:688cd001103a44dc582d4fdc4647517422c0be7942c1278b5bb748395265375d
2023/01/18 14:02:25 ttl.sh/cosign-ci/d5d90e89@sha256:8f23e10f4610afdde9b856b9367742f1f5ded5c35e2aaa0630d3c5d9ebc2e4cf: digest: sha256:8f23e10f4610afdde9b856b9367742f1f5ded5c35e2aaa0630d3c5d9ebc2e4cf size: 527
2023/01/18 14:02:34 pushed blob: sha256:0af8c5262529b2acebe9e308296ea619f25b2b3b47c632f7ff154e931d18064c
2023/01/18 14:02:40 pushed blob: sha256:b49eda688ce8c1226b6d7e02969f22361a8874cfee14c603e98ad855f1267a94
2023/01/18 14:02:41 ttl.sh/cosign-ci/d5d90e89@sha256:069e43a261e5dd787655dbeba5eed96e40f4c9f80f024ecd5d2bd17aab357204: digest: sha256:069e43a261e5dd787655dbeba5eed96e40f4c9f80f024ecd5d2bd17aab357204 size: 528
2023/01/18 14:02:43 ttl.sh/cosign-ci/d5d90e89:1h: digest: sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c size: 2295 - IMAGE_URI_DIGEST=ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
- ./cosign initialize
Root status:
{
"local": "/home/mukul/.sigstore/root",
"remote": https://sigstore-tuf-root.storage.googleapis.com/,
"metadata": {
"root.json": {
"version": 5,
"len": 6388,
"expiration": "18 Apr 23 18:13 UTC",
"error": ""
},
"snapshot.json": {
"version": 65,
"len": 1973,
"expiration": "05 Feb 23 00:08 UTC",
"error": ""
},
"targets.json": {
"version": 5,
"len": 4188,
"expiration": "18 Apr 23 18:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 65,
"len": 721,
"expiration": "29 Jan 23 00:08 UTC",
"error": ""
}
},
"targets": [
"fulcio_v1.crt.pem",
"rekor.pub",
"artifact.pub",
"ctfe.pub",
"ctfe_2022.pub",
"fulcio.crt.pem",
"fulcio_intermediate_v1.crt.pem"
]
} - ./cosign generate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
- openssl dgst -sha256 -sign ./private_key -out payload.sig payload.json
- cat payload.sig
- base64
++ cat payloadbase64.sig
++ base64 - SIGNATURE='S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
M29pZz09Cg==' - echo 'Signature: S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
M29pZz09Cg=='
Signature: S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
M29pZz09Cg==
++ cat payload.json - PAYLOAD='{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null}'
- echo 'Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null}'
Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null} - ./cosign attach signature --signature ./payloadbase64.sig --payload ./payload.json --cert ./leafcert.pem --cert-chain ./certchain.pem ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
- grep -q application/vnd.oci.image.config.v1+json
++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c - crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c - grep -q dev.sigstore.cosign/certificate
- crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
- grep -q dev.sigstore.cosign/chain
++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c - crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
- export SIGSTORE_ROOT_FILE=./rootcert.pem
- SIGSTORE_ROOT_FILE=./rootcert.pem
- ./cosign verify ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp '.' --certificate-oidc-issuer-regexp '.' ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":{"Subject":foo@example.com}}]
- for image in $IMAGE_URI_DIGEST
++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c - crane delete ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
Error: DELETE https://ttl.sh/v2/cosign-ci/d5d90e89/manifests/sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig: DIGEST_INVALID: provided digest did not match uploaded content - true
- crane delete ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
- echo SUCCESS
SUCCESS
cmd/cosign/cli/verify.go
Outdated
@@ -59,6 +59,9 @@ against the transparency log.`, | |||
# verify image with local certificate and certificate chain | |||
cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE> | |||
|
|||
# verify image with local root certificate | |||
cosign verify --root-cert root.crt <IMAGE> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@znewman01 I suspect you might disagree, but I don’t see a reason to have many different ways to pass the root, and two ways for the CLI flags
- via cert-chain
- Via the env var
- TUF root
- This option now
I don’t see the confusion with using cert-chain. It’s documented that you can either pass a root and verify should pick up any intermediates from the image annotation, or you pass the whole chain if intermediates aren’t stored on the image.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other issue with this is its being added only to verify and not the other verify-* commands. If this is only being added to support attach, the flag should be scoped as such, but I think that would cause confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’d propose we either:
- Stick with passing a root via the cert chain flag
- refactor all verify commands to pass roots and intermediates separately, ala openssl-style (openssl is not what I’d use an example of good UX fwiw)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more idea: We can now link environment variables to flags, so a cleaner approach that would reduce duplication would be to link SIGSTORE_ROOT_FILE to a CLI flag for the trust root. For names, I’d pick “SIGSTORE_CA_TRUST_ROOT” and —ca-trust-root, what you proposed Zack. I also like this because it doesn’t treat fulcio differently than other CAs.
I can get this out tomorrow if this sounds good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As part of the given PR we want to solve the shortcoming we identified in cosign for the following use case.
Use case : A corporate has a private CA which is used for certificate generation and signing. The corporate want to use there existing infrastructure for signature signing and certificate generation but want to use cosign tool to upload the signature, cert, cert chain in registry and also to verify the image content at the verifier side.
while investigating the usage of cosign in the scenario of private CA we found following short comings
- The attach signature command was not allowing attachment of certificate and Cert chain in the registry
- if we use cosign sign command along with cert and cert-chain the cert and cert chain get updated in registry but when we use Verify command we have to explicitly pass the cert and cert-chain as an argument even if these things are already attached in the registry along with the image. One way to do this is to first download the cert and cert-chain from registry and then use them as the argument of verify command.
- There should be a source of trust at Verifier side which should verify the cert-chain , cert and signature, as any adversary can modify the data in the registry by updating signature, cert and cert chain so we can not just rely on the data present in the registry the source of trust should be with verifier.
So to fix these short coming we propose following enhancement in this PR.
- Attach command has been modified to allow attachment of Cert and cert chain(Including root certificate) along with signature and payload
- Verify command has a new argument "--root-cert" which Verifier can use to verify the Cert-chain, cert and signature. The root certificate which we will used by verifier will be provided to the verifier using out of band mechanisms. and Verifier will use the trusted root certificate to verify the cert chain.
This is very similar to the fulcio root based verification approach where cosign fetch the root cert from fulcio to verify the stored cert-chain and cert attached with the signature. the only difference here is that use is using a locally stored root certificate to validate the certificate chain instead of using public CA like fulcio.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I’m just talking about how you pass the root certificate to verify. This issue is a little orthogonal to this PR, we have another issue open to make “cert-chain” clearer, but adding another flag to provide a root will exacerbate the issue.
To unblock this PR, I would just stick with what options we already have for passing root material and not add an additional flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update. so if i understood you correctly the proposal is that we would have an environment flag "SIGSTORE_CA_TRUST_ROOT" which will be set to the path of the local trusted root certificate. and than user can just
export SIGSTORE_CA_TRUST_ROOT=[PATH of trusted root cert]
execute the following command
cosign verify [path of IMAGE]
This will pick the Trusted root cert from the Env variable to a internal flag "—ca-trust-root" and use that to verify the cert-chain , cert and signature stored in the registry.
so this seems ok with me, as this will solve the requirement we need to be supported in the cosign tool. kindly clarify if my understanding is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would propose that for this PR, you remove the added root-cert
flags and rely on the existing certificate-chain
flag to verify contents. You can remove your changes to verify.go
. This keeps the PR small and focused just on improving attach.
There's more that we need to think through for the user experience for verifying certificates, and I wouldn't want to rush to add new verification flags if it will be confusing for users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i tried passing the root-cert with cert-chain option. but it tries to search for fulico root cert. so the command fails
C:\Users\musharma\Desktop\cosignCert>cosign.exe verify --cert-chain C:\Users\musharma\Desktop\cosignCert\rootCA.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .*
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open C:\Users\musharma.sigstore\root\targets\fulcio.crt.pem: The system cannot find the file specified.
main.go:62: error during command execution: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open C:\Users\musharma.sigstore\root\targets\fulcio.crt.pem: The system cannot find the file specified.
The working scenario with existing mechanism provided by cosign is to use env variable SIGSTORE_ROOT_FILE
to the Trusted local root certificate and use cosign verify command without any options.
C:\Users\musharma\Desktop\cosignCert>cosign.exe verify harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .*
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":"foo@example.com"}}]
C:\Users\musharma\Desktop\cosignCert>echo %SIGSTORE_ROOT_FILE%
C:\Users\musharma\Desktop\cosignCert\rootCA.crt
As discussed before I have now reverted the changes done in the following files
cmd/cosign/cli/options/certificate.go
cmd/cosign/cli/verify.go
cmd/cosign/cli/verify/verify.go
cp cosign $tmp/ | ||
cp sget $tmp/ | ||
|
||
#copying key, cert, certchain and rootcert in temp folder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment about how these were generated? (with openssl?) At some point the certs will expire and will likely cause test failures and need to be regenerated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes the certificates are generated using openssl. I have added the instructions to generate the certificates and certificate chain in file
test/testdata/README.md
Generate Certificates and Certificate chain for Attach test
If the test/testdata/test_attach_leafcert.pem or test_attach_rootcert.pem or test_attach_certchain.pem expires than you can generate a new certificate and certificate using the given steps
- Generate a private key for Root certificate
openssl genrsa -des3 -out rootCA.key 2048 - Generate Root certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.crt
in Certificate generation set following values
C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore, CN = sigstore, emailAddress = foo@example.com - Generate Private key for Intermediate certificate
openssl genrsa -out intermediateCA.key 2048 - Generate CSR for Intermediate certificate
openssl req -new -key intermediateCA.key -out intermediateCA.csr
in Certificate generation set following values
C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore-sub, CN = sigstore-sub, emailAddress = foo@example.com - Create intermediate certificate config file by name "intermediateConfigFile" having content
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign - Create intermediate certificate
openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -CAserial intermediateca.srl -out intermediateCA.crt -days 1825 -sha256 -extfile intermediateConfigFile - Create Private key for leaf certificate
openssl genrsa -out leafCA.key 2048 - Create CSR for Leaf certificate
openssl req -new -key leafCA.key -out leafCA.csr
in certificate generation set following values
C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore-leaf, CN = sigstore-leaf, emailAddress = foo@example.com - Create Leaf certificate config file by name "leafConfigFile" having content
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage=codeSigning
subjectAltName=email:copy
10.Create Leaf certificate
openssl x509 -req -in leafCA.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial leafca.srl -out leafCA.crt -days 1825 -sha256 -extfile leafConfigFile - Generate Certificate chain by concatinating Intermediate certificate and Root certificate
cat intermediateCA.crt rootCA.crt > certChain.crt - copy private key of Leaf certificate to test/testdata/test_attach_private.key
cp leafCA.key test/testdata/test_attach_private.key - copy root certificate to test/testdata/test_attach_rootcert.pem
cp rootCA.crt test/testdata/test_attach_rootcert.pem - copy cert chain to test/testdata/test_attach_certchain.pem
cp certChain.crt test/testdata/test_attach_certchain.pem - copy Leaf certificate to test/testdata/test_attach_leafcert.pem
cp leafCA.crt test/testdata/test_attach_leafcert.pem
Codecov Report
@@ Coverage Diff @@
## main #2602 +/- ##
==========================================
- Coverage 30.15% 29.66% -0.49%
==========================================
Files 146 151 +5
Lines 9363 9647 +284
==========================================
+ Hits 2823 2862 +39
- Misses 6103 6348 +245
Partials 437 437
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Hi please suggest if anything is further required from my side on this Pull request. As of now i have completed the required end to end test cases, comments on hot to create the certs etc. so please suggest if anything further is need from my side to this PR. |
Fixed the issue reported by CI Lint test. Kindly retest the CI test cases. |
Thanks for executing the CI test again. I checked the two failures reported in last run ::error file=pkg/types/media.go,line=2::File is not in addition to these there were many typecheck errors also reported on my local setup. i assume in CI environment test typecheck errors have been suppressed. now coming to goimport and gofmt error as i see this is being reported for files which have not been modified by me, so i assume this error is not coming due to changes done in this PR. 2. Docgen test failed. I again executed the Docgen command on my local setup and it is working fine. so i am not clear why docgen test is failing in the CI environment. |
You might need to rebase. |
can you please update on the command to be used for rebasing . As it says the branch is up to date. so is this sufficient. |
You need to set upstream to sigstore/cosign, a guide like https://www.atlassian.com/git/tutorials/git-forks-and-upstreams should walk you through the process |
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
…nd cert chain Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
I have completed the rebase of the branch and also resolved the conflicts. executed following steps.
/c/Users/musharma/cosign>git status Changes not staged for commit: no changes added to commit (use "git add" and/or "git commit -a") Changes to be committed:
After doing this, you may fix the identity used for this commit with:
3 files changed, 38 insertions(+), 3 deletions(-) nothing to commit, working tree clean
nothing to commit, working tree clean I also performed a quick attach and verify test on the updated binary Test Done
/c/Users/musharma/Desktop/crane>cat manifest |jq
C:\Users\musharma\Desktop\DemoJan13\attachTest>set SIGSTORE_ROOT_FILE=C:\Users\musharma\Desktop\DemoJan13\attachTest\rootCA.crt C:\Users\musharma\Desktop\DemoJan13\attachTest>echo %SIGSTORE_ROOT_FILE%
C:\Users\musharma\Desktop\DemoJan13\attachTest>cosign.exe verify harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-ignore-tlog --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .* Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":""}}] |
It looks like you need to run |
|
run docgen from the root. You should be able to format all files, or just format the one you've modified. You can also run golangci-lint locally |
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
Thanks for the suggestion. I have fixed both the issues
|
A few more lint failures then we should be good! |
I executed the exact golangci-lint command used in the workflows on my local setup and here i am not getting any error. in the CI test result also lint is not showing the file name for which it is failing the gofmt check so with this it is difficult to resolve this error. can you pls guide. |
can you pls retest the CI test cases |
Hayden B can you please review the Pull request. as now all the CI test are successful. thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a small comment about cleaning up the readme!
Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
I have fixed the format issue in Readme.md file can you please check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@znewman01 can you take a look for merging
sigstore#2602) * Written end to end test case for cossign attach command Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * file contain certchain for e2e attach test Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * file contain leaf cert for e2e attach test Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * file contains private key of leaf cert for e2e attach test Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * file contain root cert for e2e attach test Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * Added instruction for generating certificates for e2e attach test script Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * updated arguments of attach.SignatureCmd() function to include cert and cert chain Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * removed trailing white spaces Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * removed trailing white spaces Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * Added support for attaching cert and cert chain in attach command Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * executed make docgen to generate file file Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * Resolved gofmt lint error Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> * corrected the display format to be used for commands Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> --------- Signed-off-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com> Co-authored-by: Mukul Sharma (Nokia) <mukul.sharma@nokia.com>
… Issue: 2267
Summary
Explain the motivation for making this change. What existing problem does the pull request solve? How can reviewers test this PR?
The motivation behind this Pull request is to support cosign usage with company private CA.
The use case we want to implement is as follows
Signer side
Verifier side
Release Note
Add a release note for each of the following conditions:
Following files have been modified to include the given PR changes
Enhanced AttachSignatureOptions structure to include cert and cert chain
Enhanced AddFlags function to include cert and cert chain options
Enhanced attach module function SignatureCmd to pass cert and cert Chain as argument
Enhanced SignatureCmd function to mutate the signature with cert and cert chain
Enhanced CertVerifyOptions structure to include RootCert
Enhanced AddFlags function to include root-cert option
Added print to show root-cert argument usage
Enhanced VerifyCommand function to pass root-cert as argument
Enhanced VerifyCommand structure to include root-cert option
Enhanced Verify Command Exec Function with following
a) Allowed user to just pass root-cert as a single option in Verify command
b) Add logic to extract root cert from local file
c) Created a new variable to identify PKI based verification this variable is used later to print the output
d) 4. Invoked new Print function for PKI based verification
New parameters have been introduced in attach command to provide cert and cert chain along with existing payload and signature input parameters
updated command look like as below
cosign attach signature --signature --payload --cert --cert-chain
The new arguments introduced are
--certificate string path to the X.509 certificate in PEM format to include in the OCI Signature
--certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature
New parameters is introduced in Verify command to provide the root certificate.
Updated command look like as below
verify image with local root certificate
cosign verify --root-cert root.crt
in the case of private CA the transaction logging and SCT verification is not applicable so to execute the command the verify command should include the ignore option for tlog and sct. the example shown below
cosign verify --root-cert --insecure-ignore-sct --insecure-skip-tlog-verify
Two new features are introduced
cosign attach signature --signature --payload --cert --cert-chain
cosign verify --root-cert --insecure-ignore-sct --insecure-skip-tlog-verify
The two features for Transparency log and Signed Certificate Timestamp would not be applicable when user is using a Private PKI, so when using --root-cert option in verify we need to use ignore option for tlog and sct verification.
Documentation
Does this change require an update to documentation? How will users implement your new feature?
As part of this feature we have introduced new input arguments in attach and verify command. so documentation related to these command may need to be updated.