Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: 'cosign verify' add flags --ca-roots and --ca-intermediates to allow multiple CA roots #3462

Closed
dmitris opened this issue Jan 2, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@dmitris
Copy link
Contributor

dmitris commented Jan 2, 2024

Description

Problem
Currently you can call cosign verify --certificate-chain with a file that contains a single CA root certificate and possibly related intermediate certificates. However, in a production environment with BYO CA (no Fulcio - as in [1], for example), due to the multiregion cloud redundancy, there may be multiple CAs that issue codesigning certificate, and it is necessary to be able to pass a certificate bundle file to cosign verify - otherwise the users of cosign verify would need to manually implement the "trial-and-error" loop calling cosign verify with different CA certificates passed as --certificate-chain values until the command succeeds! Needless to say, this would not be a good user experience 😄

Proposed Solution
add a new --ca-roots and --ca-intermediates optional flags for cosign verify and the related commands (verify-attestation, verify-blob, verify-blob-attestation) which would allow to pass a CA Roots certificate bundle PEM file as well as one for the Intermediate Certificates.. The --ca-roots and --ca-intermediates would be mutually exclusive with the --certificate-chain parameter - should use one or the other but not both.

$ cosign verify --help
[...]
    --ca-roots='':
	path to a bundle file of CA Root certificates in PEM format which will be needed when building the certificate
	chains for the signing certificate. Conflicts with --certificate-chain.

    --ca-intermediates='':
	path to a bundle file of CA Intermediate certificates in PEM format which will be needed when building the certificate
	chains for the signing certificate. Conflicts with --certificate-chain.

    --certificate-chain='':
	path to a list of CA certificates in PEM format which will be needed when building the certificate chain for
	the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and
	end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.

Miscellaneous
https://docs.sigstore.dev/system_config/custom_components/ indicates "a last resort" configuration option with the environment variable SIGSTORE_ROOT_FILE:

This specifies an out of band PEM-encoded X.509 certificate for a custom Fulcio root certificate.

However, this doesn't help to solve the stated problem - relying on the environment variable is inconvenient and fragile in a production deployment, and the documentation talks about the file containing a single certificate, not a certificate bundle with multiple CA roots.

References
[1] Scaling Up Supply Chain Security: Implementing Sigstore for Seamless Container Image Signing

Below is list of issues that are related to x509 and certificates:

/cc @woodruffw

@dmitris dmitris added the enhancement New feature or request label Jan 2, 2024
dmitris added a commit to dmitris/cosign that referenced this issue Jan 2, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry Savintsev <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 2, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
@dmitris dmitris changed the title feature: add 'cosign verify --certificate-bundle` to allow multiple CA roots feature: 'cosign verify' add flags --ca-roots and --ca-intermediates to allow multiple CA roots Jan 3, 2024
@dmitris dmitris changed the title feature: 'cosign verify' add flags --ca-roots and --ca-intermediates to allow multiple CA roots feature: 'cosign verify' add flags --ca-roots and --ca-intermediates to allow multiple CA roots Jan 3, 2024
@dmitris
Copy link
Contributor Author

dmitris commented Jan 3, 2024

When looking further into the implementation, I realized there is likely a problem in terms of the possible intermediate certificates. It is not clear how the intermediate certificates would be passed if there are intermediate certificates... Currently with --certificate-chain the instructions say: "Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate", therefore it is clear what to put into Roots (the last certificate in the file) and what - into Intermediates (the other certificates, if any) for x509.VerifyOptions.

Now if we make an alternative --ca-roots flag, it is not clear whether it would be only for the Roots, or whether one could also add intermediate certificates into the bundle - but in this case, how should they be separated?
I think this can be solved in the following way:

  • clarify that the PEM bundle should consist only of the CA roots with no intermediates.
  • for the case with multiple CA roots with intermediate certificates, add the --ca-intermediates flag which would populate verifyOptions.Intermediates.

To recap, the coverage of different cases by the flags would be:

  • One CA root, potentially with one or multiple corresponding intermediate certs - use --certificate-chain as currently
  • Multiple CA roots, no intermediates - use the new --ca-roots flag
  • Multiple CA roots, some or all with intermediate certificates - use the ca-roots and --ca-intermediates flags

I updated the issue Subject and the proposal above, as well as the (draft) PR with a --ca-roots implementation.

dmitris added a commit to dmitris/cosign that referenced this issue Jan 9, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
@woodruffw
Copy link
Member

Thanks for the ping @dmitris!

I don't have too much to add from cosign's UX side, but one idea: rather than two new additional flags, maybe this is something that fits under a singular --trusted-root flag, which would then be given a JSON serialized form of the TrustedRoot that the Public Good Instance uses?

(This works out, since a TrustedRoot can contain one or more CertificateAuthority models, each of which then has a cert_chain member with arbitrarily many roots and intermediates.)

For context, this is the route we're going down with sigstore-python: sigstore/sigstore-python#821 and sigstore/sigstore-python#779. Once we support --trusted-root, we'll likely remove all of the other individual flags that are covered by it.

@dmitris
Copy link
Contributor Author

dmitris commented Jan 10, 2024

Thanks for the comment @woodruffw!

I can see the advantages of the "full cover" single --trusted-root flag (for example, it can include the TSA certificate as well) - but besides having to implement it, we would need to start producing and distributing the certificates in the JSON "TrustedRoot" format to all the (internal) users. I'm go investigate how much effort and time it would take.

The full migration to --trusted-root and removal of --certificate-chain (some other flags as well?) would require the v3.0.0, right? Maybe we can do the following:

  • implement --trusted-root and announce that is going to be the way going forward
  • implement --ca-roots as a short-term / transitionary solution
  • mark both the new --ca-roots as well as the existing --certificate-chain as DEPRECATED, steer users toward the --trusted-root
  • with the 3.x release, remove all the parameters except --trusted-root.

dmitris added a commit to dmitris/cosign that referenced this issue Jan 11, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 11, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
@haydentherapper
Copy link
Contributor

haydentherapper commented Jan 16, 2024

@dmitris Sorry for the delayed response. Overall I'm supportive of this change. Splitting certificate-chain into a set of roots and a set of intermediates is definitely a step in the right direction. I'm good with adding these flags and marking certificate-chain as deprecated.

To your question about opinionated order for certificate-chain, I think these new flags are an opportunity to correct this. I noted in another bug openssl's design with a set of roots and a set of untrusted chain builders. Typically the former is only self-signed CA certificates and the latter is intermediates. I would prefer the UX to have two flags.

As you noted, you could have trusted intermediates as roots of trusts. This is where I'll differ from openssl - This is a footgun if you aren't experienced with PKI. Like you noted, what happens if the roots file contains an intermediate? I'd expect this to be a common misuse. I would prefer we require that all certs in the file are self-signed roots. I'm open to relaxing this constraint if the use-case pops up to have intermediates as the roots of trust, but we'll deal with that if/when someone asks.

I agree with @woodruffw that long-term, we want to support the TrustedRoot file to align with other Sigstore clients. I also recognize this is going to be a larger change, so delaying this to be a part of the longer-term UX changes to Cosign is fine. If you wanted to take on implementing support for this as part of this work, happy to chat more. Once this change lands, along with support for the newer bundle format, we'll release 3.0 and remove the multitude of ways to specify a chain.

Also @TomHennen since we've chatted about this, thoughts?

@TomHennen
Copy link
Contributor

Letting intermediates act as roots, definitely isn't what I expected!

Here's a test where I try to cover the existing 'offline' uses and where I'm surprised that I can leave the root out and it still works. 75485e8#diff-29007b577f66b9fca944d7d87e89d87a1027754f251a7e41feac1e61809b6cc4R663

To some extent I think just fixing up the command line options like you're doing would solve this?

I don't have an opinion on if it would be good/bad to differ fromm what openssl does.

dmitris added a commit to dmitris/cosign that referenced this issue Jan 22, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 22, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 26, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 26, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 28, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 28, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 29, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 29, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/sigstore-docs that referenced this issue Jan 29, 2024
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 30, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jan 30, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/sigstore-docs that referenced this issue Jan 30, 2024
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/sigstore-docs that referenced this issue Jan 30, 2024
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Feb 1, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Feb 1, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Apr 3, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Apr 3, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Apr 3, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 7, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 7, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 7, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 17, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 17, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 17, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Add --ca-intermediates flag to enable to pass a PEM file
with intermediate CA certificates.
One can use either --ca-roots, optionally together with
--ca-intermediates - or --certificate-chain, which contains
zero, one or several intermediate CA certificate followed
by the root CA certificate.

Expand the helper Go program test/gencert/main.go to
allow to generate root and intermediate CA certificates,
and a certificate signed by the intermediate CA.
Expand the functional test e2e_tsa_certbundle.sh
to test the --ca-intermediates flag (together with --ca-roots).

Fixed sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 18, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 19, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 19, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/sigstore-docs that referenced this issue Jun 21, 2024
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 25, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 25, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 26, 2024
Related to issue sigstore#3462.  Current commit adds the flag
to verify the CLI options.  The new flag doesn't have
any effect yet (will add in follow-up PRs).

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jun 26, 2024
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/sigstore-docs that referenced this issue Jul 1, 2024
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
haydentherapper pushed a commit to sigstore/docs that referenced this issue Jul 1, 2024
…310)

* document --ca-roots flag for 'cosign verify'

Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>

* add docs on --ca-intermediates for 'cosign verify'

Signed-off-by: Dmitry S <[email protected]>

* markdown fixes - add empty lines around shell backticks

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants