"cosign verify-blob" or "cosign verify" with local certificate and chain always asks for oidc provider

Question

"cosign verify-blob" or "cosign verify" with local certificate and chain always asks for oidc provider

Closed this issue 3 months ago · 1 comments

Description
When invoking "cosign verify-blob" or "cosign verify" with local certificate and chain, the cli always asks for cert identity and oidc provider.

Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

Found the code here certificate flag

Is it a bug?

Version
v2.2.3

Answer 1 · 2024-03-04T16:38:03.000Z

Working as intended, a certificate must contain an identity. If you are not using Fulcio, which issues identity certificates, you can extract the key with something like https://smallstep.com/docs/step-cli/reference/certificate/key/ and provide that instead.