RSA Verification with cosign

[zosocanuck]

Hi,

cosign v1.3.0 now supports RSA public key verification as part of the cosign -verify -key operation, and therefore it would be great for connaisseur to add RSA public verification for cosign, in addition to ECDSA. I've gone ahead and created a specific version at https://github.com/zosocanuck/connaisseur which may be of interest. Happy to open a PR if this is a direction you'd like to take.

[xopham]

Hi @zosocanuck , good point! Thanks for sharing the reference implementation. Do you actually use RSA in your case? If so, why?
Think we should clean up that section to improve code quality for the different types of keys, as it starts to be a bit messy especially as we are adding #407 . We'll need to look into it.
(linked to #201 )

[zosocanuck]

Yes, I work with enterprise customers and there is still consistent demand for the use of the RSA algorithm for signatures and verification. The majority are Elliptic curve however IMO there should be basic support for RSA given the deployment or RSA within enterprise signing environments.

[xopham]

thanks for sharing those insights 🙏 based on your work, I created a first tentative integration of rsa in #416 . Does that work for you? Would be nice to get your feedback given the current lack of an e2e test on our side.

[xopham]

@zosocanuck do you have a minimal example for creating a valid cosign rsa signature?

[zosocanuck]

You can now use cosign (main branch) to import RSA keypairs to produce and verify RSA signatures: sigstore/cosign#1050