Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed Certificate Timestamp with Long-lived Keys #3236

Closed
jkjell opened this issue Sep 12, 2023 · 1 comment · Fixed by #3237
Closed

Signed Certificate Timestamp with Long-lived Keys #3236

jkjell opened this issue Sep 12, 2023 · 1 comment · Fixed by #3237
Labels
bug Something isn't working question Further information is requested

Comments

@jkjell
Copy link
Contributor

jkjell commented Sep 12, 2023

Question
When signing an image with the command below:
cosign sign --key cosign.key <IMAGE> --tlog-upload=false

it's required to use this command to verify it (in a restricted environment, i.e. no access to TUF root CDN):
cosign verify --key cosign.pub <IMAGE> --insecure-ignore-tlog --insecure-ignore-sct

even though no timestamp will be added. This is related to this Slack thread.

Should it be necessary to ignore the "Signed Certificate Timestamp" when not signing with a certificate? Are their valid use-cases for a timestamp with a long-lived key?
@jkjell jkjell added the question Further information is requested label Sep 12, 2023
@haydentherapper
Copy link
Contributor

If you only specify a key, you should not need to specify the SCT flag. That would be a bug we can fix.

@haydentherapper haydentherapper added the bug Something isn't working label Sep 12, 2023
jkjell added a commit to jkjell/cosign that referenced this issue Sep 12, 2023
@jkjell
Fixes sigstore#3236, disable SCT checking for a cosign verification w…
3fd8da6 
…hen using a public key
@jkjell jkjell mentioned this issue Sep 12, 2023
Merged
jkjell added a commit to jkjell/cosign that referenced this issue Sep 12, 2023
@jkjell
Fixes sigstore#3236, disable SCT checking for a cosign verification w…
1edd4bf 
…hen using a public key

Signed-off-by: John Kjell <john@testifysec.com>
haydentherapper pushed a commit that referenced this issue Sep 12, 2023
@jkjell
Fixes #3236, disable SCT checking for a cosign verification when usin… (
1ee8bf9 
#3237)

* Fixes #3236, disable SCT checking for a cosign verification when using a public key

Signed-off-by: John Kjell <john@testifysec.com>

* Update additional verify functionality

Signed-off-by: John Kjell <john@testifysec.com>

---------

Signed-off-by: John Kjell <john@testifysec.com>
lance pushed a commit to securesign/cosign that referenced this issue Sep 25, 2023
@jkjell @lance
Fixes sigstore#3236, disable SCT checking for a cosign verification w…
40eda2e 
…hen usin… (sigstore#3237)

* Fixes sigstore#3236, disable SCT checking for a cosign verification when using a public key

Signed-off-by: John Kjell <john@testifysec.com>

* Update additional verify functionality

Signed-off-by: John Kjell <john@testifysec.com>

---------

Signed-off-by: John Kjell <john@testifysec.com>
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #3236, disable SCT checking for a cosign verification when usin… jkjell/cosign
2 participants
@jkjell @haydentherapper