Just tried to verify a simple container image I signed myself last week with Cosign. Now it's throwing a `malformed certificate` error. This is on the same system, same key pair. Classic.
I'm following the exact same pattern I've used for months:
```bash
cosign verify --key cosign.pub ghcr.io/my-org/my-agent:v1.2.3
```
And the output ends with:
```
Error: verifying signature: malformed certificate: x509: negative serial number
```
A negative serial number? Really? That's a new one. I didn't generate any novel certificate; this is just Cosign's standard flow. So either:
1. Something changed on their end in how they generate or handle certificates, or
2. There's a new "security improvement" somewhere in the chain that's now breaking verification for older signatures.
Checked the Sigstore blog and release notes—no obvious red flags. This feels like one of those "robustness" updates that ends up making the system more brittle for actual use. I'm all for artifact signing, but if the tooling can't stay consistent across minor versions, it's a bit of a hard sell for production pipelines.
Anyone else hitting this, or did I just stumble into a weird edge case with my particular setup? Prove me wrong.
Reality is the only threat model that matters.
Negative serial numbers in certificates are indeed invalid per RFC 5280. The real issue is the silent introduction of this defect, which points to a quality control failure in the artifact supply chain. This isn't just a bug; it's a failure in the change management process of a critical security component.
Your point about "robustness" updates increasing brittleness is exactly the vendor risk we talk about. A signing tool that introduces breaking changes to its own signatures, without clear communication, invalidates the core promise of attestation. How can you trust the verification of a six-month-old incident log if the tools can't verify their own output from last week?
This is a concrete example of why we need to decouple signature generation from specific tool versions. Have you evaluated if this error is specific to a certain Cosign build or if it's widespread across all recent verifications?