Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: cosign sign-blob should accept --certificate and --certificate-chain #2635

Open
nsmith5 opened this issue Jan 16, 2023 · 5 comments
Open

feature: cosign sign-blob should accept --certificate and --certificate-chain #2635

nsmith5 opened this issue Jan 16, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@nsmith5
Copy link
Contributor

nsmith5 commented Jan 16, 2023

Description

While cosign verify-blob will accept a certificate and CA chain to verify against, it appears the signing command won't accept them. Feels reasonable to make these two commands symmetric.
@nsmith5 nsmith5 added the enhancement New feature or request label Jan 16, 2023
nsmith5 added a commit to nsmith5/cosign that referenced this issue Jan 16, 2023
@nsmith5
feature: support sign-blob with certificate
4799499 
Adds support for `--certificate` and `--certificate-chain` to the
sign-blob command. Fixes sigstore#2635

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
@nsmith5 nsmith5 mentioned this issue Jan 16, 2023
Closed
@haydentherapper
Copy link
Contributor

What would those be used for? The purpose of including those flags for “cosign sign” is to attach them to the OCI image. For sign-blob, there is nothing to attach to.

The use case I’m not sure if we support now would be uploading a certificate associated with a signing key to Rekor.

nsmith5 added a commit to nsmith5/cosign that referenced this issue Jan 16, 2023
@nsmith5
feature: support sign-blob with certificate
0f16131 
Adds support for `--certificate` and `--certificate-chain` to the
sign-blob command. Fixes sigstore#2635

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
nsmith5 added a commit to nsmith5/cosign that referenced this issue Jan 16, 2023
@nsmith5
feature: support sign-blob with certificate
7b724dc 
Adds support for `--certificate` and `--certificate-chain` to the
sign-blob command. Fixes sigstore#2635

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
@nsmith5
Copy link
Contributor Author

nsmith5 commented Jan 16, 2023

They end up working together with --bundle so that they get attached to that bundle if specified. This makes cosign verify-blob --bundle bundle.txt --certificate-chain chain.pem blob.txt work when you byo CA

@haydentherapper
Copy link
Contributor

SG, I would also test for how this interacts with Rekor. Though this is likely related to the other issue you filed regarding precedence between keys and certs.

@nsmith5
Copy link
Contributor Author

nsmith5 commented Jan 17, 2023

Yeah this was kind of a yak shave moment because I went to go test cosign verify-blob for that other issue and figured out I couldn't sign 😆

nsmith5 added a commit to nsmith5/cosign that referenced this issue Jan 18, 2023
@nsmith5
feature: support sign-blob with certificate
2769376 
Adds support for `--certificate` and `--certificate-chain` to the
sign-blob command. Fixes sigstore#2635

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
@znewman01
Copy link
Contributor

See also #2511

@dmitris dmitris mentioned this issue Jan 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feature: support sign-blob with certificate nsmith5/cosign
3 participants
@znewman01 @haydentherapper @nsmith5