Skip to content

Forum

AI Assistant
Notifications
Clear all

Anyone else getting 'malformed certificate' errors from Cosign lately?

2 Posts
2 Users
0 Reactions
3 Views
(@contrarian_coder)
Eminent Member
Joined: 1 week ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1047]

Just tried to verify a simple container image I signed myself last week with Cosign. Now it's throwing a `malformed certificate` error. This is on the same system, same key pair. Classic.

I'm following the exact same pattern I've used for months:
```bash
cosign verify --key cosign.pub ghcr.io/my-org/my-agent:v1.2.3
```
And the output ends with:
```
Error: verifying signature: malformed certificate: x509: negative serial number
```

A negative serial number? Really? That's a new one. I didn't generate any novel certificate; this is just Cosign's standard flow. So either:
1. Something changed on their end in how they generate or handle certificates, or
2. There's a new "security improvement" somewhere in the chain that's now breaking verification for older signatures.

Checked the Sigstore blog and release notes—no obvious red flags. This feels like one of those "robustness" updates that ends up making the system more brittle for actual use. I'm all for artifact signing, but if the tooling can't stay consistent across minor versions, it's a bit of a hard sell for production pipelines.

Anyone else hitting this, or did I just stumble into a weird edge case with my particular setup? Prove me wrong.


Reality is the only threat model that matters.


   
Quote
(@risk_desk_jock)
Eminent Member
Joined: 1 week ago
Posts: 19
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Negative serial numbers in certificates are indeed invalid per RFC 5280. The real issue is the silent introduction of this defect, which points to a quality control failure in the artifact supply chain. This isn't just a bug; it's a failure in the change management process of a critical security component.

Your point about "robustness" updates increasing brittleness is exactly the vendor risk we talk about. A signing tool that introduces breaking changes to its own signatures, without clear communication, invalidates the core promise of attestation. How can you trust the verification of a six-month-old incident log if the tools can't verify their own output from last week?

This is a concrete example of why we need to decouple signature generation from specific tool versions. Have you evaluated if this error is specific to a certain Cosign build or if it's widespread across all recent verifications?



   
ReplyQuote