gitsign verify command throws error getting certificate root: error getting targets: error getting target fulcio_intermediate_v1.crt.pem

[mawl]

Hey,

Making my first steps with gitsign on windows, installed with chocolatey.

My config:

git config --local commit.gpgsign true
git config --local tag.gpgsign true
git config --local gpg.x509.program gitsign
git config --local gpg.format x509
git config --local gitsign.connectorID https://login.microsoftonline.com

After successful signing gitsign verify throws:

Error: error getting certificate root: error getting targets: error getting target fulcio_intermediate_v1.crt.pem by usage: open C:\Users\me\.sigstore\root\targets\fulcio_intermediate_v1.crt.pem: File not found

C:\Users\me\.sigstore\root\targets

20.04.2023  14:54    <DIR>          .
20.04.2023  14:54    <DIR>          ..
20.04.2023  08:59               177 artifact.pub
20.04.2023  08:59               177 ctfe.pub
20.04.2023  08:59               178 ctfe_2022.pub
20.04.2023  08:59               744 fulcio.crt.pem
20.04.2023  08:59               740 fulcio_v1.crt.pem
20.04.2023  08:59               178 rekor.pub
20.04.2023  08:59             7.014 trusted_root.json

Version

>gitsign --version
gitsign version v0.6.0
parsed config:
{
  "Fulcio": "https://fulcio.sigstore.dev",
  "FulcioRoot": "",
  "Rekor": "https://rekor.sigstore.dev",
  "ClientID": "sigstore",
  "RedirectURL": "",
  "Issuer": "https://oauth2.sigstore.dev/auth",
  "ConnectorID": "https://login.microsoftonline.com",
  "TimestampURL": "",
  "TimestampCert": "",
  "LogPath": "",
  "CommitterName": "Me",
  "CommitterEmail": "[email protected]",
  "MatchCommitter": false
}

Any Ideas?

[wlynch]

As a first step, try running cosign initialize - this will refresh the sigstore TUF roots on your local system to the latest versions.

[mawl]

@wlynch: Thanks for your immediate help :)

I had installed cosign with chocolatey first - but the newest version there is 1.3.1: https://community.chocolatey.org/packages/Cosign

cosign initialize then leads to an error:

> cosign initialize
Error: open repository\root.json: file does not exist
main.go:46: error during command execution: open repository\root.json: file does not exist

After updating cosign to latest version 2.0.1, the error disappears and fulcio_intermediate_v1.crt.pem is there :)

> cosign initialize
Root status:
 {
        "local": "C:\\Users\\me\\.sigstore\\root",
        "remote": "https://sigstore-tuf-root.storage.googleapis.com",
        "metadata": {
                "root.json": {
                        "version": 7,
                        "len": 5404,
                        "expiration": "04 Oct 23 13:08 UTC",
                        "error": ""
                },
                "snapshot.json": {
                        "version": 81,
                        "len": 2299,
                        "expiration": "06 May 23 00:06 UTC",
                        "error": ""
                },
                "targets.json": {
                        "version": 7,
                        "len": 5252,
                        "expiration": "04 Oct 23 13:26 UTC",
                        "error": ""
                },
                "timestamp.json": {
                        "version": 81,
                        "len": 721,
                        "expiration": "29 Apr 23 00:06 UTC",
                        "error": ""
                }
        },
        "targets": [
                "ctfe_2022.pub",
                "fulcio.crt.pem",
                "fulcio_intermediate_v1.crt.pem",
                "fulcio_v1.crt.pem",
                "rekor.pub",
                "trusted_root.json",
                "artifact.pub",
                "ctfe.pub"
        ]
}

But gitsign verify doesn't work either, shows a different error

> echo hello gitsign > .\hello.txt
> git add .
> git commit -m "gitsign"
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=...
tlog entry created with index: 18543755
[main 83b11ae] gitsign
 1 file changed, 0 insertions(+), 0 deletions(-)
> gitsign verify HEAD
Error: error parsing identities: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

[wlynch]

Nice! 🎉

So the --certificate-identity error is actually intentional. We're following cosign verify here to require users to provide the expected identity + issuer (see sigstore/cosign#2056 for more background).

I think a reasonable improvement would be to use the committer email as a default, this way you'd only need to provide the issuer in most cases.
If you're interested in contributing, I think this would be an easy change! You would just need to set the CertVerifyOpts.CertIdentity to the committer email if it's empty before we call this -

gitsign/internal/commands/verify/verify.go

Line 88 in 23df870

v, err := gitsign.NewVerifierWithCosignOpts(ctx, o.Config, &o.CertVerifyOptions)

.
Otherwise I can get to it when I have some free time. 🙂

[mawl]

Thanks, after reading https://github.com/sigstore/gitsign#verifying-commits I was able to verify the signature locally.

So let's wait for https://gitlab.com/gitlab-org/gitlab/-/issues/364428 :)