Required or recommended to have cosign.pub?
Closed this issue · 2 comments
When signing something, you mention that it is recommended to have a cosign.pub. This is fine, but I don't have one in the repository which I'm testing.
I try to set mine using the environment variable COSIGN_PUBLIC_KEY.
Problem:
============================================================================================
Signing image
Sign image
Pushing signature to: ghcr.io/something
Verify signing
Error: loading public key: open cosign.pub: no such file or directory
main.go:46: error during command execution: loading public key: open cosign.pub: no such file or director
It does not seem to find a cosign.pub even though I added the environment variable.
Assumption:
I expect the software to check if the environment variable is set, if it is, it should be used, if not, it will try to look for a cosign.pub in the directory. If neither are set or found, it should give me the above error.
The pub is only required to verify signatures and attestations. It is up to the consumer to either commit it or set write the file in the build via a environment variable like @Brend-Smits did.
However in the end I think the cosign.pub should also be part of the released artifacts for that release. So that consumers can verify the attestations. So where is the cosign.pub released eventually? Only having it as part of the git history makes it difficult for consumers to find the version used in a particular release (once we start doing key rotation).
This problem is related to #99
I write the environment variable to a temporary file, but I'm not using the mktemp functionality, which I should.. Now it's writing the file in a different place.