No artifact sig files for package manager files?

[scruloose]

Description

As an end user trying to install cosign so I can verify the install packages of another project before installing them, I'm working from these instructions, and trying to verify and install cosign cosign_2.2.0_amd64.deb from the assets on the release page.

I've got as far as "Initializing TUF Environment" without errors, and used tuf-client to retrieve artifact.pub as instructed.

The instructions under Verifying With Key seem to assume that there's a <filename>.sig signature file corresponding to the release file I want to install. The (naked executable file?) cosign-linux-amd64 has a corresponding cosign-linux-amd64.sig file.

But all of the linux package (.deb, .rpm, etc) files seem to have only "keyless" signatures, which — to the best of my understanding — are no use for an initial install, because cosign has to already be installed in order to verify them.

So… how do I verify the .deb file from the official release assets, given that I don't have cosign installed yet? Are they missing .sig files that are supposed to be there, or am I missing something in the installation instructions?

[haydentherapper]

@cpanato Do you know why we don't sign RPMs and Deb packages with the artifact key?

@scruloose this is a bit of a chicken and egg problem. If you can set up a Linux VM for example, I would verify cosign-linux-amd64 using the .sig file, then use that Cosign release to verify the Deb and RPM using the identity-based signature and certificate (-keyless.sig and -keyless.pem)

[cpanato]

we sign the .deb files

deb: https://github.com/sigstore/cosign/releases/download/v2.2.1/cosign_2.2.1_amd64.deb
certificate: https://github.com/sigstore/cosign/releases/download/v2.2.1/cosign_2.2.1_amd64.deb-keyless.pem
sig: https://github.com/sigstore/cosign/releases/download/v2.2.1/cosign_2.2.1_amd64.deb-keyless.sig

am i missign something here?

[scruloose]

It's certainly possible I've misunderstood something, but as far as I'm aware, those -keyless.pem and -keyless.sig files are only useful if you already have cosign up and running. So, good for an upgrade, but no use for an initial install. Do I have that wrong?

According to the instructions, there should also be an "artifact key" sig file, ie cosign_2.2.0_amd64.deb.sig (without -keyless). And that .sig file can be manually verified using TUF for an initial install, in the case that you don't already have cosign.

…but that file doesn't exist.

As a workaround, I did download the naked ELF executable cosign-linux-amd64 and its associated artifact key .sig file cosign-linux-amd64.sig, verify it manually with TUF, and then used that to verify the deb using its -keyless.pem and -keyless.sig files, which do exist.

The manual TUF setup process is a bit elaborate already. Having to go through yet another bootstrap step after that, to overcome the lack of an artifact key .sig file for the .deb package, seems like it raises the barrier to entry for new users… for no evident benefit. Assuming I'm understanding the process correctly.

[haydentherapper]

@cpanato Yea, the files you linked are for Cosign signed with Cosign. It looks like we're lacking a binary signed with the artifact key.