Using sign-blob with a transparency log should output cert to disk

[DennisDenuto]

Description

I’m trying to use cosign’s experimental transparency log feature to sign a blob (a go binary built and uploaded to a GH release).
verify-blob requires the blob, signature, and public key.
The blob and signature are easy to provide. (The signature can be extracted when signing via the --signature flag). However getting the public key is a bit trickier...

The sign-blob does output the ephemeral signing cert to stdout. However the only way to extract it is via scripting it out of stdout.

i.e.

COSIGN_EXPERIMENTAL=1 cosign sign-blob --output /tmp/sig /tmp/blob  2>&1 | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > /tmp/crt

It would be great if there was a flag to do this instead!

[Dentrax]

Any updates here? What we expect here something like:

$ cosign sign-blob --help
...
--output-sig string                                                                            write the signature to FILE
--output-cert string                                                                            write the certificate to FILE

...right?

Our current workaround is to ask Rekor to get the cert:

$ rekor-cli get --uuid 8792290505cb70d0c29a2ce310a59d234a14fa831dd2d50c4e188b2503aa9e20 --format json | jq '.Body.RekordObj.signature.publicKey.content' -r | base64 -d

Cross ref: goreleaser/goreleaser#2657 and goreleaser/goreleaser#2659 (comment)

cc: @developer-guy @erkanzileli

[dlorenc]

I think this was fixed recently in #991!

[developer-guy]

Thank you, @dlorenc. Yes, we're aware of that issue while opening this one. Still, IMHO these two are different because we are extracting the certificate for later use in the verify-blob command that accepts this certificate through the --cert flag, so users might want to do it either, right?

[dlorenc]

Whoops I misunderstood. Yeah I think #1016 is the same!

[dlorenc]

Closed with #1016!