Using HSM with PKCS11 and certificate, how can I validade it without passing public key? is it possible?

[betorvs]

Hello everyone,

I really like Cosign, and I've been using it for over a year. Thanks!

I now have to use it with HSM hardware and I managed to compile it to use PKCS11 by following your documentation.

I sign a container image using the following command:

cosign sign --key "PKCS-URI-entry" --tlog-upload=false --certificate=ev-cert.pem --certificate-chain=chain.pem image:tag@digest

When I tried to verify it without using a public key, it didn't work:

$ cosign verify image:tag@digest --certificate-identity 'CN=MY CN from certificate'
Error: --certificate-oidc-issuer or --certificate-oidc-issuer-regexp is required for verification in keyless mode

Is there any way to include this certificate so that my end user can verify it easily? Do I need a transparent log for this?
All advice is welcome.

[salrashid123]

i'd imagine you have to pass in the public key or its reference.

fwiw, i used a pkcs uri for the public key. Here's the end-to-end for an older version of cosign where i'm using a trusted platform module:and softhsm

• Container Signing with Cosign and TPM PKCS-11