Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for verifying/signing images from a private registry using PKI #1006

Closed
chipzoller opened this issue Nov 6, 2021 · 2 comments
Closed

Support for verifying/signing images from a private registry using PKI #1006

chipzoller opened this issue Nov 6, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@chipzoller
Copy link

chipzoller commented Nov 6, 2021
edited

Description

Currently, cosign is not able to leverage the existing trust established by container runtime engines such as Docker or Containerd against private registries signed with an internally-trusted certificate authority. For example, although pulls might be successful from such a registry either signing or verifying will inevitably throw an error:

$ step certificate inspect https://harbor2.zoller.com --roots /etc/docker/certs.d/harbor2.zoller.com/ca.crt --short
X.509v3 TLS Certificate (RSA 2048) [Serial: 1583...5751]
  Subject:     harbor2.zoller.com
               harbor2
               hostname
  Issuer:      ZollerCA
  Valid from:  2020-06-24T13:23:17Z
          to:  2022-06-24T13:23:17Z

$ docker pull harbor2.zoller.com/library/alpine:3.12.1
3.12.1: Pulling from library/alpine
188c0c94c7c5: Pull complete
Digest: sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e
Status: Downloaded newer image for harbor2.zoller.com/library/alpine:3.12.1
harbor2.zoller.com/library/alpine:3.12.1


$ ./cosign verify --key cosign.pub harbor2.zoller.com/library/alpine:3.12.1
Error: Get "https://harbor2.zoller.com/v2/": x509: certificate signed by unknown authority
main.go:48: error during command execution: Get "https://harbor2.zoller.com/v2/": x509: certificate signed by unknown authority

While it is possible to set the environment variable SSL_CERT_FILE with the path to the signing CA (as suggested in this Slack thread), this is problematic especially for external tools (ex., Kyverno) which leverage cosign as there may be no equivalent ability for this to be done.

If cosign is not able to leverage the trust already established by these mainstream container engines, it may be helpful if there were a flag which could be set along with a path to a CA certificate to establish this trust, for example --ca-cert. Alternatively, the use of the --allow-insecure-registry flag would need to be used which isn't ideal or the aforementioned environment variable.
@chipzoller chipzoller added the enhancement New feature or request label Nov 6, 2021
@xopham xopham mentioned this issue Nov 9, 2021
Closed
@chipzoller chipzoller mentioned this issue Nov 10, 2021
Closed
@haydentherapper
Copy link
Contributor

I believe #1554 should address this.

@haydentherapper
Copy link
Contributor

Cleaning up old issues: Referenced issue is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @chipzoller