Open
Description
Description
Using cosign with Azure KMS results in different behavior for validation with KMS and local pub cert.
cosign --insecure-ignore-tlog=true verify -key azurekms://keyvault-xyz.vault.azure.net/cosign registryXYZ.azurecr.io/example-func:1.0.0
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for registryXYZ.azurecr.io/example-func:1.0.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
But when I use the created public certificate, the result is as follows:
cosign --insecure-ignore-tlog=true verify -key cosign.pub registryXYZ.azurecr.io/example-func:1.0.0
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error
I also exported the key again and tried to reproduce, with the same result:
cosign public-key -key azurekms://ckeyvaultXYZ.azure.net/cosign > cosign-new.pub
cosign verify -key cosign-new.pub registryXYZ.azurecr.io/example-func:1.0.0
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error
Is there anything I did wrong or is there a bug in the verification?
-->
Version
cosign version
GitVersion: v2.2.0
GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5
GitTreeState: clean
BuildDate: 2023-08-31T18:52:52Z
GoVersion: go1.21.0
Compiler: gc
Platform: linux/amd64
-->