-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Caddy 2.6.4 Signature Verification (Mac arm64) throws certificate expired
#5661
Comments
I'll look into it, but this
doesn't make sense. The signature log should be on the 14th of February. It can't be in the future. The future hasn't happened yet. I'd check the certificate expiry and the Rekor entry for the asset. If you can't do that, I'll check it later tonight. |
I'm completely not able to reproduce it. Here's my reproducible script: wget https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_mac_arm64.tar.gz
wget https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_mac_arm64.tar.gz.sig
wget https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_mac_arm64.pem
base64 -d < caddy_2.6.4_mac_arm64.pem > cert.pem
cosign verify-blob \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-name "Release" \
--certificate-github-workflow-ref refs/tags/v2.6.4 \
--certificate-identity-regexp caddyserver/caddy \
--certificate ./cert.pem \
--signature ./caddy_2.6.4_mac_arm64.tar.gz.sig \
--verbose \
./caddy_2.6.4_mac_arm64.tar.gz For the asset verification point, that's on me. I promised to update the page in caddyserver/website#312. I'll do this promptly. |
Yeah that's strange. The
I'm not sure where the future part is coming from. Also the asset verification docs notes something totally different to what you ran, specifically noting
You're using the decoded cert. Thanks for noting you have an outstanding doc update 🎉 |
The cosign CLI changed between cosign v1 (when I wrote the docs) and their v2.
Nope, that cert is in base64. It's encoded in base64, thus _un_decoded.
I'm glad it's working fine for you now! Thanks |
Following the asset verification documentation and using the latest (non-beta) release for
mac_arm64
on release v2.6.4 does not work, although it's now the way you've (excellently!) implemented binary verification:Initially the latest cosign v2 (I tried v2.1.1) will not verify with
cosign verify-blob
due to sigstore/cosign#2632, the same as mentioned in sigstore/cosign#2632 (comment)Switching to installation of the
v1
cosign cli the Mac arm64 release throws the below:I tried the latest beta for the same arch/platform and same error:
In essence I'm not confident in your Mac arm64 binary signatures according to your own verification documentation.
The text was updated successfully, but these errors were encountered: