Skip to content

Cosign verify error with gitlab as the oidc-issuer and nexus registry #4399

New issue
New issue
Open
Open
Cosign verify error with gitlab as the oidc-issuer and nexus registry#4399
Labels
questionFurther information is requested
@venerari

Description

@venerari
venerari
opened on Sep 11, 2025

I got my cosign sign working with this on my gitlab-ci and using nexus registry,

default:
  tags: [docker]

stages: [sign]

variables:
  COSIGN_INSECURE_ALLOW_HTTP: 1
  NEXUS_USER: "nexus-user"
  IMAGE: "ubi-ytt-oc"
  TAG: "latest"
  REKUR_URL: "http://portainer.domain.com:49176"
  FULCIO_URL: "http://portainer.domain.com:49174"
  OIDC_ISSUER: "https://$CI_SERVER_HOST:$CI_SERVER_PORT"  
  NEXUS_REGISTRY: "nexus-server.domain.com:5555"
  CIR: "OIDC_ISSUER/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/.*"
  SIGSTORE_REKOR_PUBLIC_KEY: "$CI_PROJECT_DIR/rekor-log-public.pem"
  COSIGN_YES: "true"
  COSIGN_EXPERIMENTAL: "1"

sign_image:
  stage: sign
  image: user1/podman_cosign:v2
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore      
  script:
    - |  
      export SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=$CI_PROJECT_DIR/ctlog.pub
      export SIGSTORE_REKOR_PUBLIC_KEY=$CI_PROJECT_DIR/rekor.pub
      export SIGSTORE_ROOT_FILE=$CI_PROJECT_DIR/fulcio.crt
      TOKEN=$(curl -ks -u "${NEXUS_USER}:${NEXUS_PASSWD}" "https://${NEXUS_REGISTRY}/v2/token?service=${EXUS_REGISTRY}&scope=repository:${IMAGE}:pull" | jq -r .token)
      DIGEST=$(curl -ksI -H "Authorization: Bearer ${TOKEN}" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://$NEXUS_REGISTRY/v2/$IMAGE/manifests/$TAG | grep -i Docker-Content-Digest | awk '{print $2}' | tr -d $'\r')  
      
      echo SIGNINGGGGGGGGGGGGGGGGGGG
      cosign sign --oidc-issuer=$OIDC_ISSUER --yes --fulcio-url=$FULCIO_URL --rekor-url=$REKUR_URL --registry-username=$NEXUS_USER --registry-password=$NEXUS_PASSWD --allow-insecure-registry=true --registry-cacert=$CI_PROJECT_DIR/nexus-ci.pem $NEXUS_REGISTRY/$IMAGE@$DIGEST

      echo VERIFYINGGGGGGGGGGGGGGGGGG
      # set -x
      # cp $CI_PROJECT_DIR/fulcio.crt /etc/pki/ca-trust/source/anchors/
      # update-ca-trust extract
      # export SSL_CERT_FILE="$CI_PROJECT_DIR/nexus-ci.pem"
      cosign verify --certificate-identity-regexp=$CIR --certificate-oidc-issuer=$OIDC_ISSUER --rekor-url=$REKOR_URL --registry-username=$NEXUS_USER --registry-password=$NEXUS_PASSWD --registry-cacert="$CI_PROJECT_DIR/nexus-ci.pem" --allow-insecure-registry=true $NEXUS_REGISTRY/$IMAGE@$DIGEST

The fulcio-config.yaml

# /etc/fulcio/config.yaml
oidc-issuers:
  "https://gitlab-server.domain.com:6443":         # must match the JWT iss EXACTLY
    issuer-url: "https://gitlab-server.domain.com:6443"
    client-id: "sigstore"                 # must match the JWT aud
    type: "gitlab-pipeline"
    # Optional: trust your internal GitLab TLS issuer if not publicly trusted
    ca-cert: |
      -----BEGIN CERTIFICATE-----
      MIIFDTCCAvWgAwIBAgIUeXVKNBbAiMWgTnnKfo/un23Fq2EwDQYJKoZIhvcNAQEL
      BQAwFTETMBEGA1UEAwwKdG9yb250by5jYTAgFw0yNTA5MTAxODIwMDFaGA8yMTI1
      MDgxNzE4MjAwMVowFTETMBEGA1UEAwwKdG9yb250by5jYTCCAiIwDQYJKoZIhvcN
      AQEBBQADggIPADCCAgoCggIBAKPZrQOAuMrLMvs7lMr8uS4CjfXO7z6txOAapbaQ

The Fulcio and Rekor services are deployed thru docker-compose.yaml from github.com/sigstore/fulcio and github.com/sigstore/rekor, I use main branch. Rekor doesn't need creating certificates but Fulcio need to create ca.crt, tls.crt and tls.key.

My first question is the ctfeConfig,

root@47a57489dbfd:/etc/config# cat ct_server.cfg
config {
        log_id: 1616601810504543208
        prefix: "test"
        roots_pem_file: "/etc/config/root.pem"
        private_key: {
                [type.googleapis.com/keyspb.PEMKeyFile] {
                        path: "/etc/config/privkey.pem"
                        password: "foobar"
                }
        }
        ext_key_usages: [ "CodeSigning" ]
}

I can't find any equivalent for Gitlab, does it need to be Gitlab equivalent or Googleapis.com is fine?

The second question, creation on this link https://github.com/sigstore/fulcio/blob/main/config/tls/key_cert_generation.md, does it need to be the same root-CA as my Gitlab-server/Nexus-server(self-signed but with root-ca/intermediate, probably this is from windows certs server) to create the tls.crt and tls.key?

The errors are always like this on cosign verify whether it's a ca=ephemeral or ca=fileca("--ca=fileca","--fileca-key=/config/tls/fulcio.key", "--fileca-cert=/config/tls/fulcio.crt","--fileca-key-passwd=changeit",),
rror: no matching signatures: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

Third question, since I'm running Fulcio and Rekor services, does it need to point to one trillio server/signer or each need to have its own trillion server/signer?

Please help,
Thanks
Venerari

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions