-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
document --ca-roots flag for 'cosign verify'
Related to sigstore/cosign#3462. Document the new 'cosign verify' --ca-roots flag and its difference to the --certificate-chain flag. List the supported and currently unsupported use cases (single/multiple CA(s), intermediate CAs). Signed-off-by: Dmitry S <[email protected]>
- Loading branch information
Showing
1 changed file
with
15 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,12 +80,24 @@ $ cosign verify --certificate cosign.crt --certificate-chain chain.crt user/demo | |
``` | ||
|
||
## Verify image with user-provided trusted chain | ||
Check failure on line 82 in content/en/verifying/verify.md GitHub Actions / markdownlintHeadings should be surrounded by blank lines
|
||
Verify image with the provided certificate chain and identity parameters (intended for | ||
a "bring your own PKI" use case): | ||
|
||
Verify image with the provided certificate chain(s) and identity parameters (intended for | ||
a "bring your own PKI" use cases). | ||
* with a single certificate chain file - which may contain one or several intermediate | ||
certificates followed by the root CA certificate - use the `--certificate-chain` parameter: | ||
```shell | ||
$ cosign verify --certificate-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] user/demo | ||
``` | ||
* with a certificate bundle PEM file containing several CA roots (but no intermediate certificate), use the `--ca-roots` parameter: | ||
```shell | ||
$ cosign verify --ca-roots ca-roots.pem --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] user/demo | ||
``` | ||
|
||
The `--ca-roots` and `--certificate-chain` flags are mutually exclusive. | ||
|
||
Note that the hypothetical use case of "multiple chains with multiple CA roots and intermediate | ||
certificates" is not yet supported. There are plans to add the `--ca-intermediates` parameter | ||
(see [issue #3462](https://github.com/sigstore/cosign/issues/3462)), if you needs this, | ||
please open an issue and mention it on the Sigstore #cosign Slack. | ||
|
||
## Verify an image on the transparency log | ||
|
||
|