PKCS11 Tool List Key URI not Initializing YKCS11 Correctly #4768
Description
cosign list-key-uris does not seem to initialize YKCS11 correctly, resulting a CKR_SLOT_ID_INVALID error. It requires calling GetSlotList before listing the objects according to this issue on YKCS11
$ cosign pkcs11-tool list-keys-uris --module-path /path/to/lib/libykcs11.dylib
Error: get token info: pkcs11: 0x3: CKR_SLOT_ID_INVALID
error during command execution: get token info: pkcs11: 0x3: CKR_SLOT_ID_INVALIDDiscussion: This is a very specific issue related to how YKCS11 is implemented. Should cosign apply a patch this specific (as the pkcs11 module is quite generic)?
Patch is currently pushed to my fork here. Patch by @salrashid123
Cosign installation info:
$ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v3.0.5
GitCommit: unknown
GitTreeState: clean
BuildDate: unknown
GoVersion: go1.25.7
Compiler: gc
Platform: darwin/arm64libykcs version: 2.7.3 (installed with yubico-piv-tool)