Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Offline verification #3963

Open
zetti12345 opened this issue Dec 12, 2024 · 1 comment
Open

Offline verification #3963

zetti12345 opened this issue Dec 12, 2024 · 1 comment
Labels
question Further information is requested

Comments

@zetti12345
Copy link

Question
Hi

I try to do an offline verification on my signed container with cosign. I followed the description in the Readme.md first to save the image with cosign save ....
Afterwards I try to verify my image like this:

cosign verify --certificate-identity [email protected] --certificate-oidc-issuer-regexp * --offline=true --local-image ./path

And always get following error:

Error: no matching signatures: error verifying bundle: verifying bundle: rekor log public key not found for payload
main.go:74: error during command execution: no matching signatures: error verifying bundle: verifying bundle: rekor log public key not found for payload

I am using cosign version 2.4.0

Can you please describe met what I am doing wrong as documentation is not really helping me?

Thx for your help
Peter

@zetti12345 zetti12345 added the question Further information is requested label Dec 12, 2024
@bobcallaway
Copy link
Member

because you're in --offline mode, you'll need to have downloaded the Rekor public key you trust and set the path to that .pem file in the environment variable SIGSTORE_REKOR_PUBLIC_KEY

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants