Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermediate cert and root CA must come via same source for verify to succeed #3976

Open
tuminoid opened this issue Dec 17, 2024 · 0 comments
Open

Intermediate cert and root CA must come via same source for verify to succeed #3976

tuminoid opened this issue Dec 17, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@tuminoid
Copy link

Description

Intermediate cert and root CA must come in via same source for verify to succeed.

Expected behavior

As long as chain of trust is complete, signing cert + intermediate cert + root CA should be able to be attached in registry or supplied to cosign verify via command line arguments. Specifically, it should be possible to have signing cert + intermediate cert attached to image in registry, while supplying only root CA for verification.

Actual behavior

  1. intermediate cert + root CA are both attached as certchain using cosign attach --cert-chain ..., then verifiation versus root CA only works (but attached root cert is duplicated in two places)
  2. if intermediate only is attached as cert chain, then verification with root CA only FAILS. In this case intermediate has to be supplied with root CA to verify (intermediate is duplicated in two places).

Reproduction

f I remove the root CA from the cert chain file here, then cosign verify here fails.

Relevant parts:

# fails
cat "${OUTPUT_DIR}"/sub-ca.crt  > "${OUTPUT_DIR}"/certificate_chain.pem
# works
cat "${OUTPUT_DIR}"/sub-ca.crt "${OUTPUT_DIR}"/ca.crt > "${OUTPUT_DIR}"/certificate_chain.pem

cosign attach signature \
	--payload examples/payload.json \
	--signature examples/payloadbase64.sig \
	--certificate examples/leaf.crt \
	--certificate-chain examples/certificate_chain.pem \
	127.0.0.1:5003/alpine@sha256:33735bd63cf84d7e388d9f6d297d348c523c044410f553bd878c6d7829612735

cosign verify \
	--ca-roots=examples/ca.crt \
	--certificate-identity-regexp '.*' \
	--certificate-oidc-issuer-regexp '.*' \
	--private-infrastructure \
	--insecure-ignore-sct \
127.0.0.1:5003/alpine@sha256:33735bd63cf84d7e388d9f6d297d348c523c044410f553bd878c6d7829612735

Error: no matching signatures: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:69: error during command execution: no matching signatures: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

Version

❯ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.4.1
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
GoVersion:     go1.23.1
Compiler:      gc
Platform:      linux/amd64

References

  1. Slack discussion
@tuminoid tuminoid added the bug Something isn't working label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tuminoid