From 4b104ae8c28e98517006363b4e0b69ace239d6c5 Mon Sep 17 00:00:00 2001 From: Dmitry S Date: Mon, 29 Jan 2024 19:40:18 +0100 Subject: [PATCH] document --ca-roots flag for 'cosign verify' Related to https://github.com/sigstore/cosign/issues/3462. Document the new 'cosign verify' --ca-roots flag and its difference to the --certificate-chain flag. List the supported and currently unsupported use cases (single/multiple CA(s), intermediate CAs). Signed-off-by: Dmitry S --- content/en/verifying/verify.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/content/en/verifying/verify.md b/content/en/verifying/verify.md index 9ac4a095..1bf81f1b 100644 --- a/content/en/verifying/verify.md +++ b/content/en/verifying/verify.md @@ -80,12 +80,25 @@ $ cosign verify --certificate cosign.crt --certificate-chain chain.crt --certifi ``` ## Verify image with user-provided trusted chain -Verify image with the provided certificate chain and identity parameters (intended for -a "bring your own PKI" use case): - +Verify image with the provided certificate chain(s) and identity parameters (intended for +"bring your own PKI" use cases). +* with a single certificate chain file - which may contain one or several intermediate +certificates followed by the root CA certificate - use the `--certificate-chain` parameter: ```shell $ cosign verify --certificate-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com user/demo ``` +* with a certificate bundle PEM file containing several CA roots (but without +intermediate certificate), use the `--ca-roots` parameter: +```shell +$ cosign verify --ca-roots ca-roots.pem --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com user/demo +``` + +The `--ca-roots` and `--certificate-chain` flags are mutually exclusive. + +Note that the hypothetical use case of "multiple chains with multiple CA roots and intermediate +certificates" is not yet supported. There are plans to add the `--ca-intermediates` parameter +(see [issue #3462](https://github.com/sigstore/cosign/issues/3462)). If you need this, +please open an issue and mention it on the Sigstore #cosign Slack. ## Verify an image on the transparency log