Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--insecure-ignore-sct possibly broken when verifying keyless sig #3514

Closed
willarmiros opened this issue Jan 31, 2024 · 3 comments
Closed

--insecure-ignore-sct possibly broken when verifying keyless sig #3514

willarmiros opened this issue Jan 31, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@willarmiros
Copy link

Description

I have been following this blog to run a sigstore setup including Rekor, Fulcio, and TUF locally. Everything has worked ok until I try to verify a signature.

I sign a blob using:

COSIGN_EXPERIMENTAL=1 cosign sign-blob --fulcio-url http://localhost:5555 --rekor-url http://localhost:3000 --insecure-skip-verify --output-certificate local.cert --output-signature local.sig  my_file

I then try to verify the signature like so:

COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert local.cert --rekor-url http://localhost:3000 --signature local.sig --certificate-identity <my_email> --certificate-oidc-issuer https://github.com/login/oauth --insecure-ignore-sct  my_file

This gives the following error:

**Warning** Missing fallback target fulcio_v1.crt.pem, skipping
**Warning** Missing fallback target fulcio_intermediate_v1.crt.pem, skipping
**Warning** Missing fallback target ctfe.pub, skipping
Error: getting ctlog public keys: no matching targets by custom metadata, fallbacks not found: ctfe.pub
main.go:74: error during command execution: getting ctlog public keys: no matching targets by custom metadata, fallbacks not found: ctfe.pub

I would expect that passing --insecure-ignore-sct would prevent such an error, since as the blog tutorial suggested I am NOT running a CT server. I saw #3386 and was able to confirm that the signing & verifying works with my setup using normal public/private keypairs, so I think maybe a similar bug exists for the keyless logic?

Version

GitVersion:    2.2.2
GitCommit:     bf6b57bc3edf8deb7e225e4dbd2d26c0d432979b
GitTreeState:  "clean"
BuildDate:     2023-12-05T18:59:25Z
GoVersion:     go1.21.4
Compiler:      gc
Platform:      darwin/arm64
@willarmiros willarmiros added the bug Something isn't working label Jan 31, 2024
@willarmiros willarmiros changed the title --insecure-ignore-sct possibly broken when verifying keyless --insecure-ignore-sct possibly broken when verifying keyless sig Jan 31, 2024
@haydentherapper
Copy link
Contributor

We're cutting a new release of Cosign tomorrow which includes #3427 which I believe should fix this

@haydentherapper
Copy link
Contributor

@willarmiros Can you confirm the new release fixed this for you?

@willarmiros
Copy link
Author

@haydentherapper I can confirm with cosign 2.2.3 it works now, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @willarmiros