Manual rekor upload with cosign public key

[lkatalin]

There was a previous issue opened (#1573 ) asking about a manual Rekor upload of an artifact signed with a cosign public key. However, the proposed solution (using the --pki-format x509 flag) did not work when I tried it.

The same artifact, public key, and signature that verify correctly with cosign do not seem to verify correctly with the rekor-cli:

[lily@fedora cosign]$ cosign verify-blob --key keys/cosign.pub --signature blob_sig generated_payload --insecure-ignore-tlog=true
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
Verified OK

[lily@fedora cosign]$ rekor-cli upload --artifact generated_payload --public-key keys/cosign.pub --pki-format x509 --signature blob_sig
error: error retrieving external entities: invalid signature when validating ASN.1 encoded signature

Is this expected? What am I missing from the command? Or is there a bug?

[haydentherapper]

My guess is that blob_sig cannot be base64 encoded. Try cat blob_sig | base64 -d > decoded_blob_sig and see if you can upload that with the same key and artifact. If that works, then we can add a feature to rekor-cli to support decoding base64 encoded sigs.

[lkatalin]

Thanks @haydentherapper , base64 decoding worked! I can make a PR for base64 support.