You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We think the root cause is verify-blob is expecting a blob + signature (because by default it's not expecting raw bytes, not a DSSE envelope), so when it tries to look up the rekor entry it fails because the check to whether to lookup by HashedRekord or Intoto depends on whether a signature is present (it assumes a signature for DSSE is not needed because it's in the message itself):
however, verify-blob requires --signature, which means you can't query by intoto:
$ cosign verify-blob test.json.sig --cert=<(rekor-cli get --log-index 3121421 --format json | jq -r .Body.IntotoObj.publicKey | base64 -d)
Error: verifying blob [test.json.sig]: missing flag '--signature'
main.go:62: error during command execution: verifying blob [test.json.sig]: missing flag '--signature'
We can't use verify-attestation, since that is assuming there's an OCI image (I'm just trying to verify a raw DSSE envelope signed by via keyless signing).
One thing that was a bit surprising was that verify-blob had any kind of special casing for DSSE at all. Maybe it would be worth breaking this up into a separate verify-dsse subcommand, or let verify-attestation act on direct messages instead of requiring OCI?
Description
@eddiezane and I stumbled on this today - verify-blob has logic for handling DSSE messages
cosign/cmd/cosign/cli/verify/verify_blob.go
Lines 234 to 237 in 128f8fb
but when this is combined with COSIGN_EXPERIMENTAL, it fails:
We think the root cause is verify-blob is expecting a blob + signature (because by default it's not expecting raw bytes, not a DSSE envelope), so when it tries to look up the rekor entry it fails because the check to whether to lookup by
HashedRekord
orIntoto
depends on whether a signature is present (it assumes a signature for DSSE is not needed because it's in the message itself):cosign/pkg/cosign/tlog.go
Lines 289 to 303 in 128f8fb
however, verify-blob requires --signature, which means you can't query by intoto:
We can't use verify-attestation, since that is assuming there's an OCI image (I'm just trying to verify a raw DSSE envelope signed by via keyless signing).
One thing that was a bit surprising was that verify-blob had any kind of special casing for DSSE at all. Maybe it would be worth breaking this up into a separate verify-dsse subcommand, or let verify-attestation act on direct messages instead of requiring OCI?
Version
128f8fb
The text was updated successfully, but these errors were encountered: