-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No artifact sig files for package manager files? #3330
Comments
@cpanato Do you know why we don't sign RPMs and Deb packages with the artifact key? @scruloose this is a bit of a chicken and egg problem. If you can set up a Linux VM for example, I would verify |
we sign the .deb files deb: https://github.com/sigstore/cosign/releases/download/v2.2.1/cosign_2.2.1_amd64.deb am i missign something here? |
It's certainly possible I've misunderstood something, but as far as I'm aware, those According to the instructions, there should also be an "artifact key" sig file, ie …but that file doesn't exist. As a workaround, I did download the naked ELF executable The manual TUF setup process is a bit elaborate already. Having to go through yet another bootstrap step after that, to overcome the lack of an artifact key |
@cpanato Yea, the files you linked are for Cosign signed with Cosign. It looks like we're lacking a binary signed with the artifact key. |
Description
As an end user trying to install cosign so I can verify the install packages of another project before installing them, I'm working from these instructions, and trying to verify and install cosign
cosign_2.2.0_amd64.deb
from the assets on the release page.I've got as far as "Initializing TUF Environment" without errors, and used tuf-client to retrieve
artifact.pub
as instructed.The instructions under Verifying With Key seem to assume that there's a
<filename>.sig
signature file corresponding to the release file I want to install. The (naked executable file?)cosign-linux-amd64
has a correspondingcosign-linux-amd64.sig
file.But all of the linux package (
.deb
,.rpm
, etc) files seem to have only "keyless" signatures, which — to the best of my understanding — are no use for an initial install, because cosign has to already be installed in order to verify them.So… how do I verify the
.deb
file from the official release assets, given that I don't have cosign installed yet? Are they missing.sig
files that are supposed to be there, or am I missing something in the installation instructions?The text was updated successfully, but these errors were encountered: