Wrong cosign command in “Verify Signed Kubernetes Artifacts” task

[rascasoft]

The right command line for cosign usage should be:

cosign verify-blob "$BINARY" --signature "$BINARY".sig --cert "$BINARY".cert

So with --cert instead of the actual --certificate which is an unrecognized option, at least in cosign version 1.6.0.

[sftim]

/retitle Wrong cosign command in “Verify Signed Kubernetes Artifacts” task
/language en

[mengjiao-liu]

It appears that the cosign version v1.9.0 has updated this parameter to --certificate

But for compatibility with previous versions, both --cert and --certificate can be used.

So the document just uses the newer version of the command.

related issue:

• --certificate or --cert? sigstore/cosign#1847

related PR:

• Normalize certificate flag names sigstore/cosign#1868

code：
https://github.com/sigstore/cosign/blob/1c04ce6299e63fe2af5823f7dcc4d179806208df/cmd/cosign/cli/options/certificate.go#L41

[rascasoft]

Today, if you follow the instructions (and so you download cosign 1.6.0), you get an error, so it might be useful to fix this anyway.

[mengjiao-liu]

Perhaps, the version of cosign needs to be indicated in the docs?

For more advice. @sftim @saschagrunert

[rascasoft]

Perhaps, the version of cosign needs to be indicated in the docs?

For more advice. @sftim @saschagrunert

Yes, maybe that would fix the problem as well.

[saschagrunert]

I agree having the cosign version mentioned in the docs will help us to prevent such issues in the future.

[Shubham82]

/triage accepted

[Shubham82]

Page to update: https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/

[Shubham82]

Can we also mention the note about cosign, something like this: if we are using cosign version v1.9.0+ we should use the --cert parameter instead of the --certificate

[saschagrunert]

/assign