keyless verify-blob?

[caarlos0]

Question

I am able to keyless sign a blog with:

COSIGN_EXPERIMENTAL=1 cosign sign-blob Desktop/file.pdf

But I can't verify it, as it asks for a -key or -sk.

Also, it does not create the output file if I use something like:

COSIGN_EXPERIMENTAL=1 cosign sign-blob -output file.sig file.pdf 

Is it something planned to work in the future?
If not, maybe we shouldn't allow keyless signing a blob?
Maybe its just me doing something wrong? I don't see any mentions to blob in the KEYLESS.md file... and seems like the full design doc is not public, so I'm not sure 🤔

[dlorenc]

Maybe its just me doing something wrong? I don't see any mentions to blob in the KEYLESS.md file... and seems like the full design doc is not public, so I'm not sure 🤔

The design doc should be public! You just have to join [email protected] I think...

It looks like this is missing from the docs, but there's a "-cert" flag you need to pass to verify a blob using the "keyless" flow right now (when you initially sign an object, you get a certificate from Fulcio, unfortunately you need to remember that certificate somewhere today).

That cert can be looked up from Rekor if you only have the artifact, so we can automate/document this too.

[DennisDenuto]

That cert can be looked up from Rekor if you only have the artifact, so we can automate/document this too.

Hey @dlorenc is there any plan to automate looking up the cert using rekor when running verify-blob? This would reduce the overhead of serving the cert somewhere trustworthy for folk to use when verifying.

[dlorenc]

I think we should do it! I don't have a plan to personally (just a bandwidth thing) but we can definitely help if someone wants to try and get it merged!