Skip to content

Updating sign-blob to also support signing with a certificate #4547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
steiza merged 3 commits into from
Dec 3, 2025
Merged

Updating sign-blob to also support signing with a certificate #4547

steiza merged 3 commits into from
Dec 3, 2025

Conversation

@steiza
Copy link
Member

@steiza steiza commented Nov 25, 2025

Summary

A follow-on to #4525 to support user-managed certificate signing in sign-blob.

This ended up being trickier than I expected due to the forking codepaths for using signing config vs not using signing config. We might want to consider more cleanup and consolidation in the future.

I ran through a lot of sign-blob tests locally, without using signing config and using signing config to cover both code branches (verify commands are only given once):

$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-key.sigstore.json --key import-cosign.key --use-signing-config=false --tlog-upload=false a.txt
$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-key.sigstore.json --key import-cosign.key --signing-config empty_signing_config.json a.txt 

$ go run cmd/cosign/main.go verify-blob --bundle sign-blob-key.sigstore.json --key import-cosign.pub --insecure-ignore-tlog=true a.txt

Note that here sign-blob with --signing-config requires --trusted-root, whereas --use-signing-config=false does not, because of the forking codepaths:

$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-cert.sigstore.json --key import-cosign.key --certificate selfsigned.crt --use-signing-config=false --tlog-upload=false a.txt
$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-cert.sigstore.json --key import-cosign.key --certificate selfsigned.crt --signing-config empty_signing_config.json --trusted-root self-signed-trusted-root.json a.txt

$ go run cmd/cosign/main.go verify-blob --bundle sign-blob-cert.sigstore.json --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" --insecure-ignore-tlog=true --insecure-ignore-sct=true --trusted-root self-signed-trusted-root.json a.txt

Don't forget here to do cosign signing-config create with both --fulcio and --oidc-provider:

$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-oauth.sigstore.json --use-signing-config=false --tlog-upload=false a.txt
$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-oauth.sigstore.json --signing-config oidc_signing_config.json a.txt

$ go run cmd/cosign/main.go verify-blob --insecure-ignore-tlog=true --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" --bundle sign-blob-oauth.sigstore.json a.txt

$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-kms.sigstore.json --key "azurekms://steizatesting.vault.azure.net/testkey" --use-signing-config=false --tlog-upload=false a.txt
$ go run cmd/cosign/main.go sign-blob --bundle sign-blob-kms.sigstore.json --key "azurekms://steizatesting.vault.azure.net/testkey" --signing-config empty_signing_config.json a.txt

$ go run cmd/cosign/main.go verify-blob --bundle sign-blob-kms.sigstore.json --key azure_cosign.pub --insecure-ignore-tlog=true a.txt

Release Note

  • Added --certificate and --certificate-chain to cosign sign-blob to sign with user-managed certificates

Documentation

N/A

@steiza
Updating sign-blob to also support signing with a certificate
b783e68 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza requested a review from a team as a code owner November 25, 2025 13:47
@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 13.46154% with 45 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.36%. Comparing base (2ef6022) to head (710d5c1).
⚠️ Report is 600 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/signcommon/common.go 0.00% 25 Missing ⚠️
cmd/cosign/cli/options/signblob.go 0.00% 9 Missing ⚠️
cmd/cosign/cli/sign/sign_blob.go 50.00% 4 Missing and 3 partials ⚠️
cmd/cosign/cli/options/attest_blob.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/signblob.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4547      +/-   ##
==========================================
- Coverage   40.10%   36.36%   -3.75%     
==========================================
  Files         155      220      +65     
  Lines       10044    12290    +2246     
==========================================
+ Hits         4028     4469     +441     
- Misses       5530     7129    +1599     
- Partials      486      692     +206

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

steiza
steiza commented Nov 25, 2025
View reviewed changes
cmd/cosign/cli/sign/sign_blob.go
}

if !shouldUpload {
// TODO - this does not take ko.SigningConfig into account
Copy link
Member Author

@steiza steiza Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this didn't take ko.SigningConfig into account before, but now at least it doesn't prompt you with the immutable records notice when your signing config doesn't include sending content to Rekor.

@steiza
Update test/e2e_tsa_test.go as well
0db8ae0 
Signed-off-by: Zach Steindler <steiza@github.com>
cmurphy
cmurphy reviewed Dec 1, 2025
View reviewed changes
cmd/cosign/cli/sign/sign_blob.go Outdated
return nil, fmt.Errorf("getting signer: %w", err)
}
defer closeSV()
hashFunction := protoHashAlgoToHash(keypair.GetHashAlgorithm())
Copy link
Contributor

@cmurphy cmurphy Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be moved up to above line 80 and used in getPayload

@steiza
Only get hashFunction once
710d5c1 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza merged commit 1e49088 into sigstore:main Dec 3, 2025
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmurphy cmurphy cmurphy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steiza @cmurphy