Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with HSM generated key type #150

Closed
lukehinds opened this issue Jul 26, 2021 · 0 comments · Fixed by #151
Closed

Issue with HSM generated key type #150

lukehinds opened this issue Jul 26, 2021 · 0 comments · Fixed by #151

Comments

@lukehinds
Copy link
Member

lukehinds commented Jul 26, 2021
edited
Loading

Don''t have the resolution just yet, but opening this to track

COSIGN_EXPERIMENTAL=1 go run cmd/cosign/main.go sign -fulcio-server http://127.0.0.1:5555 ghcr.io/lukehinds/sigstore-test-three:latest 
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=dH3cg1zLx7XIsreUP79k9zYDU_-BJuPBkr8zaV_8QZI&code_challenge_method=S256&nonce=1vqTxBpal7N6wZiPE13kAjUtMa2&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=1vqTx4qnjHmmOASyiY15WY8kIB8
warning: uploading to the transparency log at https://rekor.sigstore.dev for a private image, please confirm [Y/N]: Y
tlog entry created with index:  11028
Pushing signature to: ghcr.io/lukehinds/sigstore-test-three:sha256-568999d4aedd444465c442617666359ddcd4dc117b22375983d2576c3847c9ba.sig


COSIGN_EXPERIMENTAL=1 go run cmd/cosign/main.go verify ghcr.io/lukehinds/sigstore-test-three:latest
error: no matching signatures:
x509: certificate specifies an incompatible key usage
exit status 1
lukehinds pushed a commit to lukehinds/fulcio that referenced this issue Jul 26, 2021
Amend HSM cert usage
5438d93 
There was an issue with invalid key types when verifying
cosign signed registry sigs with a fulcio cert generated using
the fuclio createca command

This PR makes the resulting createca generated cert have partity
to GCA generated certs

The result is a HSM / createca root cert can be used to both sign
and verify registry entries

Resolves: sigstore#150

Signed-off-by: Luke Hinds <lhinds@redhat.com>
@lukehinds lukehinds mentioned this issue Jul 26, 2021
Merged
lukehinds added a commit that referenced this issue Jul 26, 2021
@lukehinds
Amend HSM cert usage (#151)
e36f98f 
There was an issue with invalid key types when verifying
cosign signed registry sigs with a fulcio cert generated using
the fuclio createca command

This PR makes the resulting createca generated cert have partity
to GCA generated certs

The result is a HSM / createca root cert can be used to both sign
and verify registry entries

Resolves: #150

Signed-off-by: Luke Hinds <lhinds@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Amend HSM cert usage lukehinds/fulcio
1 participant
@lukehinds