run.shis a test script that generates CA and certificate and runscosign signandcosign verifywith the "keyless verification". It uses the test-friendly temporary image registry https://ttl.sh/ and the public TSA server https://freetsa.org/tsrrun-tsa-mtls.shexpandrun.shto add mTLS authentication to the TSA server and with appropriate parameters can be used to test mTLS access to a custom TSA server.
- Go - https://go.dev/dl or
brew install golang cosign- https://github.com/sigstore/cosigncrane(to publish a test image to ttl.sh) - https://github.com/michaelsauter/crane,brew install crane
This script was done as part of testing for sigstore/cosign#2845 "verify command: support keyless verification using only a provided certificate chain with non-fulcio roots". It is expected to fail the verification with the trunk version of sigstore. If you want to try this before the PR is merged, please check out the PR branch https://github.com/dmitris/cosign/tree/keyless-without-fulcio.
./run.shIf you have an image to sign/verify, you can pass it as the first parameter to ./run.sh
or through the IMAGE_URI_DIGEST environment variable:
./run.sh ttl.sh/2291f828@sha256:b5d6fe0712636ceb7430189de28819e195e8966372edfc2d9409d79402a0dc16See the comments in run-tsa-mtls.sh for the required parameters to run the script.
To test cosign support for an mTLS connection to the timestamp server (sigstore/cosign#3052), use ./run-tls.sh and
see the "Sample run" example on the top of that script for the mTLS-related parameters.