Signed Certificate Timestamp with Long-lived Keys #3236
Comments
|
If you only specify a key, you should not need to specify the SCT flag. That would be a bug we can fix. |
jkjell
added a commit
to jkjell/cosign
that referenced
this issue
Sep 12, 2023
…hen using a public key
jkjell
added a commit
to jkjell/cosign
that referenced
this issue
Sep 12, 2023
…hen using a public key Signed-off-by: John Kjell <[email protected]>
haydentherapper
pushed a commit
that referenced
this issue
Sep 12, 2023
#3237) * Fixes #3236, disable SCT checking for a cosign verification when using a public key Signed-off-by: John Kjell <[email protected]> * Update additional verify functionality Signed-off-by: John Kjell <[email protected]> --------- Signed-off-by: John Kjell <[email protected]>
lance
pushed a commit
to securesign/cosign
that referenced
this issue
Sep 25, 2023
…hen usin… (sigstore#3237) * Fixes sigstore#3236, disable SCT checking for a cosign verification when using a public key Signed-off-by: John Kjell <[email protected]> * Update additional verify functionality Signed-off-by: John Kjell <[email protected]> --------- Signed-off-by: John Kjell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Question
When signing an image with the command below:
cosign sign --key cosign.key <IMAGE> --tlog-upload=falseit's required to use this command to verify it (in a restricted environment, i.e. no access to TUF root CDN):
cosign verify --key cosign.pub <IMAGE> --insecure-ignore-tlog --insecure-ignore-scteven though no timestamp will be added. This is related to this Slack thread.
Should it be necessary to ignore the "Signed Certificate Timestamp" when not signing with a certificate? Are their valid use-cases for a timestamp with a long-lived key?
The text was updated successfully, but these errors were encountered: