Issue with --output-certificate in cosign sign-blob #4140
Comments
|
Good find! It looks like for Can you confirm that the output certificate is actually a base64 encoded key? |
haydentherapper
added
bug
|
Yes, the output certificate is a base64 encoded key. Example command:
The generated certificate (certificate.crt) contains the encoded public key:
|
|
Hey so I have been actually trying to look into this but im Still fairly new to this and how it all works, when passing in a key imported by cosign for use /x/crypto/x509 reports out |
|
Keys shouldn't get parsed by crypto/x509 since that library is for certificates. With the links above, we just need to add a check that the output is actually a certificate. |
Both
cosign signandcosign sign-blobcommands support the--output-certificateparameter, but they behave differently when signing with a private key.Example with cosign sign (image signing):
cosign sign --key cosign.key --output-certificate certificate.crt --output-signature signature.sig --record-creation-timestamp --tlog-upload=false --upload=false hello-world:latestIn this example, when signing an image using cosign sign, the
--output-certificateflag generates a certificate containing the public key.Example with cosign sign-blob (blob signing):
cosign sign-blob --key cosign.key --output-certificate certificate.crt --output-signature signature.sig --tlog-upload=false test-zip-file.zipHowever, when signing a blob using cosign sign-blob, despite the presence of the
--output-certificateflag, no certificate is generated.My question is:
Why does signing an image generate a certificate with the public key, but signing a blob does not? How does the
--output-certificateflag work in this context for blobs or in general?I understand that when a blob is signed using the keyless method, a certificate is generated, but this behavior seems different when using the private key for signing.
The text was updated successfully, but these errors were encountered: