Document cosign.pub URL must be anonymously fetchable; clarify "verified offline" Rekor behaviour #83
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#83
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Cleanup follow-up from the #81 / #82 debugging cycle.
Root-cause correction
The user-visible "no known key found for this signature in database" error chased through #81 and #82 was ultimately caused by repo visibility, not by anything cosign was doing wrong:
--key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub.The actual fixes #82 added (explicit
--tlog-upload=true) were still correct — sigs are now genuinely uploaded to Rekor and verifiable — but they weren't the cause of the symptom.Scope
docs/ci.md"Release pipeline" → "Verifying a published image" that says: the cosign.pub URL must return the raw PEM to an unauthenticated request. Either the repo is public, orcosign.pubis served from a separate publicly-readable location (a release asset on a public mirror repo, a static site, a public gist, etc.) and the release-notes template is adjusted to point at it.cosign verifyreports "Existence of the claims in the transparency log was verified offline" because cosign embeds Rekor's SignedEntryTimestamp into the signature bundle at sign time, and uses that embedded proof at verify time — no live call torekor.sigstore.devis required. This is a property, not a bug. Document it so future-me doesn't mistake it for the verify path bypassing Rekor.Acceptance criteria
docs/ci.mdhas the prerequisite callout under "Verifying a published image".docs/ci.mdhas a brief troubleshooting note for the "no known key" symptom.cosign.pubis anonymously fetchable.Out of scope
cosign.pubto a separate public location (not needed today since the repo is now public).Part of epic #2. Follow-up from #81 / #82.