Skip to content

cosign v3 fails to sign image with certificate #4865

Description

@frgt10cs

Description

Cosign v2 works fine when you are trying to sign image with your own certificate by using the next command:

cosign sign $IMAGE --insecure-skip-verify=true --tlog-update=false --certificate leaf.cer --certificate-chain ca_bundle.pem --key imported-cosign.key

But when i'm trying to sign the same way with cosign v3 it fails:

cosign sign $IMAGE --insecure-skip-verify=true --certificate leaf.cer --certificate-chain ca_bundle.pem --key imported-cosign.key --signing-config my-config.json

Error message:

error: signing [$IMAGE] recursively signing: signing digest: signing bundle: error signing bundle: fqailed to verify leaf certificate: leaf certificate verification failed

my-config.json contains default config generated by cosign signing-config create, leaf certificate contains digital signature and code signing attributes in keyUsage/extendedKeyUsage.

Is it bug or cosign v3 requires something additional to sign image by your own certificate?

Version

v2.5.0 (38bb986...), go1.24.1
v3.0.6 (f1ad3ee...), go1.25.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions