Skip to content

Commit

Permalink
document --ca-roots flag for 'cosign verify'
Browse files Browse the repository at this point in the history
Related to sigstore/cosign#3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <[email protected]>
  • Loading branch information
dmitris committed Jan 29, 2024
1 parent eaf6977 commit 1942692
Showing 1 changed file with 15 additions and 3 deletions.
18 changes: 15 additions & 3 deletions content/en/verifying/verify.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,12 +80,24 @@ $ cosign verify --certificate cosign.crt --certificate-chain chain.crt user/demo
```

## Verify image with user-provided trusted chain

Check failure on line 82 in content/en/verifying/verify.md

View workflow job for this annotation

GitHub Actions / markdownlint

Headings should be surrounded by blank lines

content/en/verifying/verify.md:82 MD022/blanks-around-headings/blanks-around-headers Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## Verify image with user-provided trusted chain"] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md022.md
Verify image with the provided certificate chain and identity parameters (intended for
a "bring your own PKI" use case):

Verify image with the provided certificate chain(s) and identity parameters (intended for
a "bring your own PKI" use cases).
* with a single certificate chain file - which may contain one or several intermediate
certificates followed by the root CA certificate - use the `--certificate-chain` parameter:
```shell
$ cosign verify --certificate-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] user/demo
```
* with a certificate bundle PEM file containing several CA roots (but no intermediate certificate), use the `--ca-roots` parameter:
```shell
$ cosign verify --ca-roots ca-roots.pem --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] user/demo
```

The `--ca-roots` and `--certificate-chain` flags are mutually exclusive.

Note that the hypothetical use case of "multiple chains with multiple CA roots and intermediate
certificates" is not yet supported. There are plans to add the `--ca-intermediates` parameter
(see [issue #3462](https://github.com/sigstore/cosign/issues/3462)), if you needs this,
please open an issue and mention it on the Sigstore #cosign Slack.

## Verify an image on the transparency log

Expand Down

0 comments on commit 1942692

Please sign in to comment.