cosign verify-attestation
used with the --type
flag will report a false positive verification when:
This can happen when signing with a standard keypair and with “keyless” signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/sigstore/cosign | lt | 1.10.1 |