cosign verify with certificates requires the --certificate-identity and --certificate-oidc-issuer flags

Question

cosign verify with certificates requires the --certificate-identity and --certificate-oidc-issuer flags

Closed this issue a month ago · 2 comments

Description

When following the documentation for verifying signatures locally with certificates the mentioned command is:

$ cosign verify --certificate cosign.crt --certificate-chain chain.crt user/demo

However, when executing this locally you'll get:

Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

Given that the validation option has been the same for quite a while, I'm assuming it's just a documentation issue; but wanted to check in here first before creating an issue in the docs repo.

Version

cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.2.4
GitCommit:     fb651b4ddd8176bd81756fca2d988dd8611f514d
GitTreeState:  "clean"
BuildDate:     2024-04-10T21:57:27Z
GoVersion:     go1.22.2
Compiler:      gc
Platform:      darwin/amd64

Answer 1 · 2024-04-21T23:20:07.000Z

Yes, that is a documentation issue, you'll see it correctly documented in https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect. Do you want to make the fix in https://github.com/sigstore/docs?

Answer 2 · 2024-04-22T11:10:44.000Z

@haydentherapper yeah will go ahead and to that in a giffy, thanks for clarifying things!