You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Signing, either by checking an embedded SCT (public good Fulcio) or a detached SCT returned in a header. It's skipped if an insecure flag is provided
Verification, if either the enforce-sct flag is set or if an embedded SCT is present.
Signing is good - Always check, unless you explicitly provide an insecure flag. However, for verification, you must present a flag to require the check, which is not ideal - This was added because previously issued certificates did not include an embedded SCT and the Cosign metadata did not include a way to persist the detached SCT.
I propose:
We require that an SCT be embedded or explicitly provided for the detached case. For the detached case, we could either add new annotation metadata, or simply require it be passed by flag. Given the detached case is only for private deployments, I would probably go with flag for now.
We remove the enforce-sct flag and leverage an insecure flag to skip the check on verification.
This would be a part of Cosign 2.0, since it's a breaking change.
Description
Currently, SCT verification happens on:
enforce-sct
flag is set or if an embedded SCT is present.Signing is good - Always check, unless you explicitly provide an insecure flag. However, for verification, you must present a flag to require the check, which is not ideal - This was added because previously issued certificates did not include an embedded SCT and the Cosign metadata did not include a way to persist the detached SCT.
I propose:
enforce-sct
flag and leverage aninsecure
flag to skip the check on verification.This would be a part of Cosign 2.0, since it's a breaking change.
Code:
cosign/pkg/cosign/verify.go
Lines 204 to 215 in d795dcb
cosign/cmd/cosign/cli/options/certificate.go
Line 77 in d795dcb
The text was updated successfully, but these errors were encountered: