fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba

[developer-guy]

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com

Summary

Release Note

Documentation

[haydentherapper]

/hold

Most of these cases do no require the flag.

[codecov-commenter]

Codecov Report

Merging #2254 (4e729c3) into main (f43839b) will increase coverage by 0.16%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2254      +/-   ##
==========================================
+ Coverage   28.40%   28.57%   +0.16%     
==========================================
  Files         131      131              
  Lines        7832     7852      +20     
==========================================
+ Hits         2225     2244      +19     
+ Misses       5309     5302       -7     
- Partials      298      306       +8     

Impacted Files	Coverage Δ
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go	45.26% <0.00%> (+0.35%)	⬆️
cmd/cosign/cli/verify/verify.go	5.97% <0.00%> (+2.61%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

no flag required for all examples with a key

[znewman01]

+1, including the KMS ones. Anything without --certificate I think

[haydentherapper]

Can we update to --certificate?

[haydentherapper]

@asraa Should we use the list you made of all possible flag combos (cert/key, experimental/no experimental, bundle, expired/unexpired cert) and have an example for each of these with more explanation?

[znewman01]

+1

Further, I'd like to see some organization and explanation. Right now, the text is just a laundry list of "if X, then Y"

We should explain unset COSIGN_EXPERIMENTAL and COSIGN_EXPERIMENTAL=1 separately (I don't 100% understand the current behavior so please correct me, indicated uncertainty with "?")

Here's a braindump, maybe should move into Google Doc (feel free to copy it)

no experimental

Check the signature on a blob against the given key or certificate.

Keys

blah

Certificates

• --certificate and --certificate-chain example:

  The provided certificate (and all of the certificates in the chain(?) must be unexpired right now.

  NOTE: this just accepts whatever the last certificate of the chain is as your root. If you want to check that it matches a fixed root certificate, use keyless mode and SIGSTORE_ROOT_FILE (except we don't want people to do that? what do we tell these people?)

• --certificate no chain

  Checks that the certificate is signed by Fulcio (must be unexpired). Will that ever work?

Bundles

• --bundle

  If --bundle is provided, use the given Rekor bundle (see ...) to check that the time of the signature was while the certificate (and its ancestors??) were valid (without --bundle, the certificate must be currently valid).

  Works for keys and certs both.

  What happens if the bundle has a conflicting chain?

• --bundle + certs, no chain

  If there's a bundle use that to get the chain up to Fulcio?

experimental

Keys

Same as above, but we check that signatures are in Rekor (I think?)

If --bundle provided, check that against Rekor (offline).

Certs

• --certificate and --certificate-chain: Like the keyfull version, except instead of automatically trusting the certificate chain, we check that the root matches Fulcio's cert.

  If you'd like to BYO-root, set SIGSTORE_ROOT_FILE and we'll compare the root of the chain against that.

  We hit Rekor online.

• --certificate, no chain: this would only work if signed by the root directly, which probably won't be the case (maybe if you BYO-root?)

Bundles

• --keys Same as above, don't hit Rekor.

• --certificate and --certificate-chain and --bundle. Same as above, don't hit rekor

  TODO: what if bundle has a conflicting cert/chain?

• --certificate and --bundle: Same, but use a chain from bundle. Fails if bundle has no chain.

  TODO: what happens if the bundle has a conflicting cert?

• --bundle: Same, but use cert/chain from bundle. Fails if bundle has no cert/chain.

  TODO: if the bundle just provides a key, do we trust it?

[znewman01]

let's axe this example? it's just explaining how the environment variables work in a shell, I think

[znewman01]

Can we combine this with the "signature from URL" example?

[znewman01]

IMO, axe this example. Maybe we can move it to the docs/ directory of the Cosign repo. Or even a "useful tricks" section at the bottom of this doc.

[znewman01]

I would like to combine all the KMS examples. It'd be nice to list the syntax for each, but I don't need it in the full context.

[znewman01]

+1, including the KMS ones. Anything without --certificate I think

[znewman01]

s/$sig/<sig>

[znewman01]

+1

Further, I'd like to see some organization and explanation. Right now, the text is just a laundry list of "if X, then Y"

We should explain unset COSIGN_EXPERIMENTAL and COSIGN_EXPERIMENTAL=1 separately (I don't 100% understand the current behavior so please correct me, indicated uncertainty with "?")

Here's a braindump, maybe should move into Google Doc (feel free to copy it)

no experimental

Check the signature on a blob against the given key or certificate.

Keys

blah

Certificates

• --certificate and --certificate-chain example:

  The provided certificate (and all of the certificates in the chain(?) must be unexpired right now.

  NOTE: this just accepts whatever the last certificate of the chain is as your root. If you want to check that it matches a fixed root certificate, use keyless mode and SIGSTORE_ROOT_FILE (except we don't want people to do that? what do we tell these people?)

• --certificate no chain

  Checks that the certificate is signed by Fulcio (must be unexpired). Will that ever work?

Bundles

• --bundle

  If --bundle is provided, use the given Rekor bundle (see ...) to check that the time of the signature was while the certificate (and its ancestors??) were valid (without --bundle, the certificate must be currently valid).

  Works for keys and certs both.

  What happens if the bundle has a conflicting chain?

• --bundle + certs, no chain

  If there's a bundle use that to get the chain up to Fulcio?

experimental

Keys

Same as above, but we check that signatures are in Rekor (I think?)

If --bundle provided, check that against Rekor (offline).

Certs

• --certificate and --certificate-chain: Like the keyfull version, except instead of automatically trusting the certificate chain, we check that the root matches Fulcio's cert.

  If you'd like to BYO-root, set SIGSTORE_ROOT_FILE and we'll compare the root of the chain against that.

  We hit Rekor online.

• --certificate, no chain: this would only work if signed by the root directly, which probably won't be the case (maybe if you BYO-root?)

Bundles

• --keys Same as above, don't hit Rekor.

• --certificate and --certificate-chain and --bundle. Same as above, don't hit rekor

  TODO: what if bundle has a conflicting cert/chain?

• --certificate and --bundle: Same, but use a chain from bundle. Fails if bundle has no chain.

  TODO: what happens if the bundle has a conflicting cert?

• --bundle: Same, but use cert/chain from bundle. Fails if bundle has no cert/chain.

  TODO: if the bundle just provides a key, do we trust it?

[developer-guy]

I tried to address some of the reviews. Can you please take a look at @znewman01? Thx

[znewman01]

I have a couple of minor issues, but otherwise I think this looks good. We may want to totally rework the docs here, but that can happen later.