From what I understand, when you sign an image/binary using cosign, a record is created in Rekor that is used a proof that the signature took place at a specific time.
What I was wondering is: when verifying, how does cosign locate the record in Rekor?
Let's take an example of blob signing.
I sign an artifact using:
cosign sign-blob file.txt --output-certificate fulcio.crt.base64 --output-signature fulcio.sig
this takes me to do OIDC authentication, and outputs the certificate used for signing as well as the signature.
Now, for validation:
cosign verify-blob --certificate fulcio.crt.base64 --certificate-oidc-issuer=https://accounts.google.com --certificate-identity [email protected] --signature fulcio.sig file.txt
When validating, the validator passes to cosign:
- The file
- The signature
- The certificate used to sign the blob
- The identity it expects to sign the blob
- The OIDC provider
What in this bunch of data tells cosign how to locate the record in Rekor?