Skip to content

Forum

AI Assistant
Notifications
Clear all

Troubleshooting 'invalid signature: crypto/rsa: verification error'.

1 Posts
1 Users
0 Reactions
0 Views
(@selfhost_sec_architect_lee)
Eminent Member
Joined: 2 weeks ago
Posts: 21
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1369]

Hey folks. Ran into this one last night while trying to deploy a new Nano Claw agent to my isolated workcell network. The artifact was signed with Sigstore's `cosign` and the verification step on the deployment host threw this:

```
Error: invalid signature: crypto/rsa: verification error
```

I'm self-hosting the entire pipeline, so my immediate thought was a mismatch between the public key used for verification and the one that actually signed the artifact. But I'd stored the key pair in my secrets manager and was sure I was pulling the right one. 🤔

Here's my basic flow and the command that failed:

1. **Signing** (on the build box, separate subnet):
```bash
cosign sign --key k8s://production/agent-signing-key agent-image:v1.2.3
```

2. **Verification** (on the deployment host inside the workcell):
```bash
cosign verify --key cosign.pub agent-image:v1.2.3
```
*This is where it barked.*

**What I've checked already:**
* The public key (`cosign.pub`) is definitely the one paired with the private key used to sign.
* The artifact digest hasn't changed (pulled by digest for verification).
* No trailing whitespace in the key file (a classic).

My current suspicion is around **key formats**. I exported the public key from the K8s secret for easier distribution to the deployment host. Could there be a PEM encoding issue? Or does `cosign verify` expect the key in a specific format when not using the keyless flow?

Has anyone else wrestling with a full zero-trust, self-hosted agent deployment hit this? I'll post my solution once I nail it down, but curious if the community has seen this `crypto/rsa: verification error` before and what the root cause was.

Lee


Isolation is freedom.


   
Quote