-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Azure KMS #399
Comments
We are currently working on this with my colleague @Dentrax |
@developer-guy there is a PR in WIP sigstore/sigstore#76 please take a look on that |
@cpanato I think discovered a problem in the current implementation, when the signature is verified with the local cosign.pub cert that gets created automatically when you initialize the KeyVault. (signing worked like a charm) cosign verify -key cosign.pub XYZ.azurecr.io/example-func:1.0.0
error: no matching signatures:
failed to verify signature When I verify via the kms flag, it works fine: cosign verify -key azurekms://XYZ-kv.vault.azure.net/cosign XYZ.azurecr.io/example-func:1.0.0
Verification for XYZ.azurecr.io/example-func:1.0.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":"XYZ.azurecr.io/example-func"},"image":{"docker-manifest-digest":"sha256:e231349fdf394a570e0cb84fe5109bc6980f52b84dd219fcae9922922a715d7d"},"type":"cosign container image signature"},"optional":{"tag":"1.0.0"}} Is there something wrong with the cosign.pub that gets persisted to disk when you initialize the KeyVault? I have also tested an override with the public-key command, sadly I get the same result: cosign public-key -key azurekms://XYZ-kv.vault.azure.net/cosign > cosign.pub
cosign verify -key cosign.pub XYZ.azurecr.io/example-func:1.0.0error: no matching signatures:
failed to verify signature Did I do something wrong in the commands? |
@containerpope thanks for raising this, i will take a look and reproduce and see how to fix it |
@cpanato no worries, I was just testing on our dev environment. If you need more data or logs feel free to reach out and I will try to provide some. |
@cpanato I investigated further and downloaded the certificate also with the az tooling. az keyvault key download --vault-name vault-name -n cosign -e PEM -f mykey.pem The certificates are identically, so it seems, that the cosign verify does just not work properly with the local certificate. In case you use the key vault kms command to verify it, it works. Is there any difference between the implementations? |
Closing this issue now, support is in although there are bugs! |
Description
Support Azure KMS
The text was updated successfully, but these errors were encountered: