You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, cosign is not able to leverage the existing trust established by container runtime engines such as Docker or Containerd against private registries signed with an internally-trusted certificate authority. For example, although pulls might be successful from such a registry either signing or verifying will inevitably throw an error:
$ step certificate inspect https://harbor2.zoller.com --roots /etc/docker/certs.d/harbor2.zoller.com/ca.crt --short
X.509v3 TLS Certificate (RSA 2048) [Serial: 1583...5751]
Subject: harbor2.zoller.com
harbor2
hostname
Issuer: ZollerCA
Valid from: 2020-06-24T13:23:17Z
to: 2022-06-24T13:23:17Z
$ docker pull harbor2.zoller.com/library/alpine:3.12.1
3.12.1: Pulling from library/alpine
188c0c94c7c5: Pull complete
Digest: sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e
Status: Downloaded newer image for harbor2.zoller.com/library/alpine:3.12.1
harbor2.zoller.com/library/alpine:3.12.1
$ ./cosign verify --key cosign.pub harbor2.zoller.com/library/alpine:3.12.1
Error: Get "https://harbor2.zoller.com/v2/": x509: certificate signed by unknown authority
main.go:48: error during command execution: Get "https://harbor2.zoller.com/v2/": x509: certificate signed by unknown authority
While it is possible to set the environment variable SSL_CERT_FILE with the path to the signing CA (as suggested in this Slack thread), this is problematic especially for external tools (ex., Kyverno) which leverage cosign as there may be no equivalent ability for this to be done.
If cosign is not able to leverage the trust already established by these mainstream container engines, it may be helpful if there were a flag which could be set along with a path to a CA certificate to establish this trust, for example --ca-cert. Alternatively, the use of the --allow-insecure-registry flag would need to be used which isn't ideal or the aforementioned environment variable.
The text was updated successfully, but these errors were encountered:
Description
Currently, cosign is not able to leverage the existing trust established by container runtime engines such as Docker or Containerd against private registries signed with an internally-trusted certificate authority. For example, although pulls might be successful from such a registry either signing or verifying will inevitably throw an error:
While it is possible to set the environment variable
SSL_CERT_FILE
with the path to the signing CA (as suggested in this Slack thread), this is problematic especially for external tools (ex., Kyverno) which leverage cosign as there may be no equivalent ability for this to be done.If cosign is not able to leverage the trust already established by these mainstream container engines, it may be helpful if there were a flag which could be set along with a path to a CA certificate to establish this trust, for example
--ca-cert
. Alternatively, the use of the--allow-insecure-registry
flag would need to be used which isn't ideal or the aforementioned environment variable.The text was updated successfully, but these errors were encountered: