cosign verify with certificates requires the --certificate-identity and --certificate-oidc-issuer flags
Closed this issue · 2 comments
dhaus67 commented
Description
When following the documentation for verifying signatures locally with certificates the mentioned command is:
$ cosign verify --certificate cosign.crt --certificate-chain chain.crt user/demo
However, when executing this locally you'll get:
Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode
Given that the validation option has been the same for quite a while, I'm assuming it's just a documentation issue; but wanted to check in here first before creating an issue in the docs repo.
Version
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: 2.2.4
GitCommit: fb651b4ddd8176bd81756fca2d988dd8611f514d
GitTreeState: "clean"
BuildDate: 2024-04-10T21:57:27Z
GoVersion: go1.22.2
Compiler: gc
Platform: darwin/amd64
haydentherapper commented
Yes, that is a documentation issue, you'll see it correctly documented in https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect. Do you want to make the fix in https://github.com/sigstore/docs?
dhaus67 commented
@haydentherapper yeah will go ahead and to that in a giffy, thanks for clarifying things!