"pem" file of the release aren't PEM files #2666
Comments
|
Hello @ctron, thanks for raising an issue; I think these files come from here as cosign use GoReleaser to sign binaries. I think at this point, as there is no manual process in here, we cannot do anything about these files, I guess, unless we edit the cosign code to make them base64 decoded, and this would be a |
I think the issue is that you actually base64 them "again". A PEM file already is base64 encoded, adding the header/footer lines. There is no need to base64 encode it twice. Still, a Renaming the file to something other than As Just don't promise a PEM file :-) |
|
sorry my typo, I just wanted to say "base64 decoded", not encoded 🤦 |
|
Btw, I just found a switch |
|
I've just checked that cosign worked both ways: |
|
So basically, we can do that "--b64" trick in the GoReleaser file. |
|
Agreed that the output formats are a bit of a mess right now; this is something we're aware of and trying to fix. Fixing them by default will be a breaking change unfortunately, so we're planning to do this all at once. Basically, rather than output a certificate AND a signature AND a signed timestamp AND ... we'll stick them all in one My vote would actually be to rename the Goreleaser output to Relevant: |
|
We decided that it would be a breaking change to rename these files, so we're trying to avoid that. Instead, just documenting a little better. No great solution here unfortunately :/ |
Taking a look at the "pem" files in the release section (like
cosign-2.0.0.rc.1.aarch64.rpm-keyless.pem), those file aren't PEM files:But base64 encoded PEM files. From my point of view, if a
.pemfile is being distributed, it should actually be a PEM file, and not base64 encoded.The text was updated successfully, but these errors were encountered: