fix sbom verify command
Merge Request Description
Fixes the cosign verify command for our SBOMs in the cosign readme
Merge Request BOE
Risk
None
Rollback Plan
Revert MR
Testing
cosign verify using --key fails
➜ cosign verify --key https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/raw/master/scripts/cosign/cosign-certificate.pem "${sbom}"
Error: loading public key: pem to public key: asn1: structure error: tags don't match (6 vs {class:2 tag:0 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @2
main.go:46: error during command execution: loading public key: pem to public key: asn1: structure error: tags don't match (6 vs {class:2 tag:0 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @2While using --cert succeeds
➜ cosign verify --cert https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/raw/master/scripts/cosign/cosign-certificate.pem "${sbom}"
Verification for registry1.dso.mil/ironbank/opensource/nodejs/nodejs16:sha256-5ee0778890360e9cf3ffdc8bcb498d4f676ae28dc44dfd6af55b1cfb7d2bf76c.sbom --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"registry1.dso.mil/ironbank/opensource/nodejs/nodejs16"},"image":{"docker-manifest-digest":"sha256:74589a08993e40b0f53367e17c34ec9ab08e38aff33a04498a9ceafa8f601529"},"type":"cosign container image signature"},"optional":{"Subject":"ironbank@dsop.io"}}]