What is not working as expected?
I have implemented a root CA, I have then created a subordinate CA to issue certificates and to be used by my TSA (sigstore/timestamp-server). When signing, I am using the following command (both the intermediate and the root CA certs are in notation's trust store):
notation sign --key test
--timestamp-url https://tsa.host.internal/api/v1/timestamp
--timestamp-root-cert /usr/local/share/ca-certificates/root_ca.crt
'registry.host.internal/hello-world@sha...'What I get back is:
Error: timestamp: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority
Should I use openssl to timestamp a file, like this:
echo "dummy content" > /tmp/file_to_sign.txt
openssl ts -query -data /tmp/file_to_sign.txt -sha256 -no_nonce -cert -out /tmp/query.tsq
curl -s -H "Content-Type: application/timestamp-query" --data-binary @/tmp/query.tsq https://tsa.host.internal/api/v1/timestamp -o /tmp/resp.tsr
openssl ts -reply -in /tmp/resp.tsr -token_out -out /tmp/token.der
openssl cms -cmsout -print -inform DER -in /tmp/token.der
Then I see that this ticket is signed by the leaf certificate I generate with the intermediate CA (all critical constraints about timestamping and other requirements are met).
I have the feeling that the problem is that I am using a subordinate CA, but if I use the that intermediate cert in the flag --timestamp-root-cert, I get
Error: failed to check root certificate with error: x509: ECDSA verification failure
and if I concatenate the intermediate and the root CA certs, to build the chain of trust, and then I pass that to --timestamp-root-cert I get an error stating I should have only once certificate there... and if I remove that flag altogether hoping this will be resolved by notation using its own trusted store, that also fails.
What did you expect to happen?
Notation is able to validate successfully my TSA tickets given that they are signed by a certificate generated by my intermediate CA, out of my root CA, both trusted on notation store (the latter also on the system trust store).
How can we reproduce it?
Create a TSA server based on timestamp-server using a certificate created by and intermediate CA.
Sign an image with notation, with any of the previous combinations.
Describe your environment
This is running on current debian stable, notation is installed by downloading the binary for version 1.3.2. The shell used is bash.
What is the version of your Notation CLI or Notation Library?
$ notation version
Notation - a tool to sign and verify artifacts.
Version: 1.3.2
Go version: go1.23.8
Git commit: 001cc91
What is not working as expected?
I have implemented a root CA, I have then created a subordinate CA to issue certificates and to be used by my TSA (sigstore/timestamp-server). When signing, I am using the following command (both the intermediate and the root CA certs are in notation's trust store):
What I get back is:
Should I use openssl to timestamp a file, like this:
Then I see that this ticket is signed by the leaf certificate I generate with the intermediate CA (all critical constraints about timestamping and other requirements are met).
I have the feeling that the problem is that I am using a subordinate CA, but if I use the that intermediate cert in the flag
--timestamp-root-cert, I getand if I concatenate the intermediate and the root CA certs, to build the chain of trust, and then I pass that to
--timestamp-root-certI get an error stating I should have only once certificate there... and if I remove that flag altogether hoping this will be resolved by notation using its own trusted store, that also fails.What did you expect to happen?
Notation is able to validate successfully my TSA tickets given that they are signed by a certificate generated by my intermediate CA, out of my root CA, both trusted on notation store (the latter also on the system trust store).
How can we reproduce it?
Create a TSA server based on timestamp-server using a certificate created by and intermediate CA.
Sign an image with notation, with any of the previous combinations.
Describe your environment
This is running on current debian stable, notation is installed by downloading the binary for version 1.3.2. The shell used is bash.
What is the version of your Notation CLI or Notation Library?
$ notation version
Notation - a tool to sign and verify artifacts.
Version: 1.3.2
Go version: go1.23.8
Git commit: 001cc91