I'm encountering a TLS certificate verification issue during a Docker build process involving the verification of a container image using Cosign. Despite updating and installing CA certificates in the Dockerfile, the build process fails when running the cosign verify command. The error persists, indicating an issue with verifying the certificate from Sigstore's Transparency Log.
Here's the relevant part of my Dockerfile:
# Build phase 1: Verification
FROM docker:stable-dind
# Update and install necessary packages
RUN apk update && apk add curl openssl ca-certificates && update-ca-certificates
# Install Cosign
RUN curl -sL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign && \
chmod +x /usr/local/bin/cosign
# Download Cosign public key
RUN curl -sL https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub -o /usr/local/cosign.pub
# Verify the image using cosign and your public key
RUN cosign verify --key /usr/local/cosign.pub gcr.io/distroless/java17-debian11 \
|| { echo "Cosign verification failed. Please check the image or public key."; exit 1; }
And the error message:
Error: getting Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "https://tuf-repo-cdn.sigstore.dev/8.root.json": tls: failed to verify certificate: x509: certificate signed by unknown authority
I'm wondering if:
- There are additional configurations needed for Cosign or Docker to recognize the CA certificates.
- The issue might be related to the network environment or specific to the Docker image I'm using (
docker:stable-dind).
Any insights or suggestions to resolve this TLS certificate verification issue would be greatly appreciated!