Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS KMS Keys appear to only be able to use RSASSA_PKCS1_V1_5_SHA_256 signing algorithm #3807

Open
trevorlinton opened this issue Jul 31, 2024 · 0 comments
Open

AWS KMS Keys appear to only be able to use RSASSA_PKCS1_V1_5_SHA_256 signing algorithm #3807

trevorlinton opened this issue Jul 31, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@trevorlinton
Copy link

Hello,

I am trying to use AWS with KMS keys and cosign to sign images. If I understand the code correctly it would appear that when using AWS KMS keys, cosign first describes the key, then it will use the first signing algorithm returned back from the AWS DescribeKey API in the SigningAlgorithms array field.

This seems to have a few issues.

  1. It just so happens to always be RSASSA_PKCS1_V1_5_SHA_256 as it is the first value in the DescribeKey response for all AWS KMS asymmetric keys with RSA 4096. This is widely regarded as insecure and AWS recommends using RSASSA_PSS_SHA256 as a default.
  2. If AWS DescribeKey API changed the order of values in the SingingAlgorithms array (which is possible) it will change the default behavior of cosign.
  3. Shouldn't there be an option to specifically request a signing algorithm given they at times become deprecated?
@trevorlinton trevorlinton added the enhancement New feature or request label Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@trevorlinton