Custom metadata not configured properly for target tsa certs, skipping target #4551
Description
I am testing out the signing of docker images with cosign and a self hosted sigstore stack. The stack is installed on k8s with the scaffolding helm chart from sigstore, to which I manually added the TSA certs and cert chain (which is made of a leaf, and intermediate and a root). The signing and verification are done in two different stages of a gitlab pipeline. Before signing and verifying, I initialize cosign by referencing my self hosted TUF
COSIGN_EXPERIMENTAL=1 cosign initialize --mirror https://my-own-tuf.com --root https://my-own-tuf.com/root.json
and receive the following root.json
Root status:
{
"local": "/root/.sigstore/root",
"remote": "https://my-own-tuf.com",
"metadata": {
"root.json": {
"version": 1,
"len": 2177,
"expiration": "27 May 26 08:43 UTC",
"error": ""
},
"snapshot.json": {
"version": 1,
"len": 618,
"expiration": "27 May 26 08:43 UTC",
"error": ""
},
"targets.json": {
"version": 1,
"len": 2598,
"expiration": "27 May 26 08:43 UTC",
"error": ""
},
"timestamp.json": {
"version": 1,
"len": 619,
"expiration": "27 May 26 08:43 UTC",
"error": ""
}
},
"targets": [
"ctfe.pub",
"fulcio_v1.crt.pem",
"rekor.pub",
"trusted_root.json",
"tsa_intermediate_0.crt.pem",
"tsa_leaf.crt.pem",
"tsa_root.crt.pem"
]
}
In this, i can see that the cert chain of the TSA i supplied is present (I also verified that the certs are the correct ones). When I try to sign and verify by also pointing at my TSA, i receive these warnings
**Warning** Custom metadata not configured properly for target tsa_intermediate_0.crt.pem, skipping target
**Warning** Custom metadata not configured properly for target tsa_leaf.crt.pem, skipping target
**Warning** Custom metadata not configured properly for target tsa_root.crt.pem, skipping target
From what I understood, my TUF doesn't really give the TSA cert chain to cosign, and this makes the verification process fail (the signing one works). To test it out, I manually passed the cert chain to the verification stage, and in that way it works.
I expected that TUF should be the source of all needed certs, but it seems that it's not working for TSA. I also inspected the custom metadata for the TSA cert, and they seem to be in line with those of fulcio, rekor and ctlog.
Is there any way to debug this?