unable to verify image using local certificate and local certificate chain

[choukri-m]

Description

unable to verify an image using a local certificate and a local certificate chain. incorrectly raises the error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

to replicate this:

1. sign an image and attach a certificate and a certificate chain, as per sigstore guidance
2. verify the image using the same cert/cert chain, as per guidance (last example)

the output is as follows:

$ cosign verify --certificate cacert.pem --cert-chain ca-chain-bundle.cert.pem <image>
Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

i.e. The issue is that it assumes that I want a keyless verification as soon as it does not find a --key

Fix
the fix is very simple, refactor the code in the file: cmd/cosign/cli/verify/verify.go > Exec(...), line 100, to include a check for c.CertRef before checking the identity

i.e. it should be like this:

if c.KeyRef == "" && c.CertRef == "" {
	identities, err = c.Identities()
	if err != nil {
		return err
	}
}

Version

release cosign v2

[haydentherapper]

We can't differentiate between when someone provides a certificate because they want "keyless" verification vs providing a certificate that only wraps a key without an identity. For Cosign 2.0, we've called out the latter use-case as no longer supported. We expect that certificates conform to the Fulcio certificate profile and that you'll need to provide an identity to verify the signature. If the certificate doesn't, then you should extract the certificate's key before verifying (using something like https://smallstep.com/docs/step-cli/reference/certificate/key to extract the key).

We'd like to tackle bring-your-own-PKI in a future release of Cosign to bring back support for this use-case while still preserving the identity requirements for identity-based certificates.

[choukri-m]

Thanks for your response @haydentherapper

It seemed to work absolutely fine when I made the change I mentioned above and checked correctly an image that I signed with certs chain. Any reason why this is the case if this is not supported? the code for this check seems to still function as expected

[choukri-m]

what is the down side for using it as I suggested?

[znewman01]

what is the down side for using it as I suggested?

If somebody is using keyless signing with the public Fulcio instance, this means that verifiers will trust any identity—something we want to avoid. And the keyless use case is the primary purpose for cosign verify.

I'm marking as a duplicate of #2630 (we do want to fix this, but the UX is going to be a little more subtle).