Cosign 1.12.0 broke Flux build

[stefanprodan]

After Cosign v1.12.0 our builds are failing with:

cosign verify-blob --cert /tmp/tmp.RrJ3ntuOFG/checksums.txt.pem --signature /tmp/tmp.RrJ3ntuOFG/checksums.txt.sig /tmp/tmp.RrJ3ntuOFG/checksums.txt
Error: verifying blob [/tmp/tmp.RrJ3ntuOFG/checksums.txt]: x509: certificate signed by unknown authority
main.go:62: error during command execution: verifying blob [/tmp/tmp.RrJ3ntuOFG/checksums.txt]: x509: certificate signed by unknown authority

We use keyless to sign the golang-with-libgit2 release assets and we use cosign verify-blob in all Flux controllers that make use of those assets. Since this basically broke Flux build all over, we have two options: remove cosign from our build system or revert to cosign 1.11.0 that is affected by CVE-2022-36056.

[znewman01]

Happy to help debug from the Sigstore side of things.

If I had to guess, it's actually related to the fix to GHSA-8gw7-4j42-w388, which made verification more strict for verify-blob (possibly introducing false positives).

If you can point me to the following, I'd be grateful:

1. Where these files are signed: EDIT 2: found it
2. Where these files are verified EDIT 3: is this it?
3. An example .sig, .pem, and checksums.txt EDIT: found them

[stefanprodan]

@znewman01 to reproduce this locally do:

curl -o ./checksums.txt -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt
curl -o ./checksums.txt.pem -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.pem
curl -o ./checksums.txt.sig -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.sig
cosign verify-blob --cert ./checksums.txt.pem --signature ./checksums.txt.sig ./checksums.txt

[znewman01]

Will reproduce, 1 sec...

In the meantime: does it still happen if you set COSIGN_EXPERIMENTAL=1 for the verify-blob call?

[stefanprodan]

With experimental enabled it doesn't fail but I see lots of duplicate warnings....

 COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert ./checksums.txt.pem --signature ./checksums.txt.sig ./checksums.txt
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tlog entry verified with uuid: 6d82e9ef2755da1cdfd7f566dfbeb6b7877c5d699dbde90e8fa108908ca780fb index: 3070702
Verified OK

[znewman01]

Okay, it's expected that verify-blob should fail without COSIGN_EXPERIMENTAL=1; that's part of the resolution to GHSA-8gw7-4j42-w388 .

With COSIGN_EXPERIMENTAL=0: you provided a certificate which was signed by the keyless CA to verify against, but without COSIGN_EXPERIMENTAL, cosign isn't supposed to know about the keyless CA.

Sorry about the warnings....that's an unintended consequence of sigstore/cosign#2232. A fix is being tracked upstream: theupdateframework/go-tuf#376 . We're hoping to push a minor version bump soon to address that.

[stefanprodan]

@znewman01 shouldn't this be documented as a breaking change in Cosign release notes?

[znewman01]

Yup, filed sigstore/cosign#2253

[asraa]

Hi! Thank you for filing this issue! I want to call out two details too:

1. Without COSIGN_EXPERIMENTAL we were not checking the signature validity against the certificate. The keyless certificate is short-lived: and validating the signature requires validating (against the TLOG) that the signature was produced during the validity period. Thanks @znewman01 for filing the change documentation.
2. If you would like to avoid COSIGN_EXPERIMENTAL making the Rekor lookup to check the signature timestamp, then you can also create a bundle when you create the signature. This will copy the timestamp to a bundle file. Users would need to pass --bundle into the verify-blob command. The bundle also contains the cert and sig, so their call would be cosign verify-blob --bundle bundle.sig checksums.txt

The signing command would add an output bundle flag.