Is this Feature/Enhancement related to an Existing Problem? If so, please describe: No
Hauler 1.3.1 does not support pulling images with expired certificates:
error... function execution failed: no matching signatures: expected a signed timestamp to verify an expired certificate
For example, you can see this now with registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.3 (sha256:15e81f1433dc7305fceceb0fb565bfb1bc964f918dd2b6d70e67445683aa2b93).
Reading the cosign documentation, it looks like cosign wants --timestamp-certificate-chain set, which Hauler does not support.
Describe Proposed Solution(s):
- Support cosign
--timestamp-certificate-chain argument during signature verification
Describe Possible Alternatives:
- Support / default ignoring this feature (although I can't find the right documentation in cosign)
Additional Context:
Is this Feature/Enhancement related to an Existing Problem? If so, please describe: No
Hauler 1.3.1 does not support pulling images with expired certificates:
For example, you can see this now with registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.3 (sha256:15e81f1433dc7305fceceb0fb565bfb1bc964f918dd2b6d70e67445683aa2b93).
Reading the cosign documentation, it looks like cosign wants
--timestamp-certificate-chainset, which Hauler does not support.Describe Proposed Solution(s):
--timestamp-certificate-chainargument during signature verificationDescribe Possible Alternatives:
Additional Context: