Disallow both a key and identity during verification #4617
Description
Description
We have inconsistency with usage of both --key and --certificate-identity when verifying signatures signed either by managed keys or using code signing certificates. When signed with a key, the identity is always ignored. When signed with a code signing cert, verification errs out with a key.
There are roughly three options for the UX:
- When a key is provided, it takes precedent over Fulcio verification (what Cosign does now). Note that Cosign still uses other roots of trust, e.g. the log public key.
- When a key is provided, it is merged into the trusted root, so that either a certificate or key is valid.
- Disallow both a key and identity from being provided, to avoid the need to pick preferences.
I would recommend (3). When a user provides an identity, we should treat that as the user specifying that an identity is expected. By silently ignoring it, there may be instances where a user is tricked into verifying a signature signed by a managed key rather than with a code signing cert unexpected.
Copying from https://sigstore.slack.com/archives/C03SZ6SHU90/p1766169728333369:
OIDC signed
% cosign verify-blob --bundle ~/cosign-test/test.sigstore.json --certificate-identity [email protected] --certificate-oidc-issuer https://github.com/login/oauth a.txt
Verified OK
% cosign verify-blob --key ~/cosign-test/cosign.pub --bundle ~/cosign-test/test.sigstore.json --certificate-identity [email protected] --certificate-oidc-issuer https://github.com/login/oauth a.txt
Error: expected key signature, not certificate
error during command execution: expected key signature, not certificate
Key signed
% cosign verify-blob --key ~/cosign-test/cosign.pub --bundle ~/cosign-test/bundle.sigstore.json a.txt
Verified OK
% cosign verify-blob --key ~/cosign-test/cosign.pub --bundle ~/cosign-test/bundle.sigstore.json --certificate-identity [email protected] --certificate-oidc-issuer https://github.com/login/oauth a.txt
Verified OK
cc @piceri