Hey folks. Ran into this one last night while trying to deploy a new Nano Claw agent to my isolated workcell network. The artifact was signed with Sigstore's `cosign` and the verification step on the deployment host threw this:
```
Error: invalid signature: crypto/rsa: verification error
```
I'm self-hosting the entire pipeline, so my immediate thought was a mismatch between the public key used for verification and the one that actually signed the artifact. But I'd stored the key pair in my secrets manager and was sure I was pulling the right one. 🤔
Here's my basic flow and the command that failed:
1. **Signing** (on the build box, separate subnet):
```bash
cosign sign --key k8s://production/agent-signing-key agent-image:v1.2.3
```
2. **Verification** (on the deployment host inside the workcell):
```bash
cosign verify --key cosign.pub agent-image:v1.2.3
```
*This is where it barked.*
**What I've checked already:**
* The public key (`cosign.pub`) is definitely the one paired with the private key used to sign.
* The artifact digest hasn't changed (pulled by digest for verification).
* No trailing whitespace in the key file (a classic).
My current suspicion is around **key formats**. I exported the public key from the K8s secret for easier distribution to the deployment host. Could there be a PEM encoding issue? Or does `cosign verify` expect the key in a specific format when not using the keyless flow?
Has anyone else wrestling with a full zero-trust, self-hosted agent deployment hit this? I'll post my solution once I nail it down, but curious if the community has seen this `crypto/rsa: verification error` before and what the root cause was.
Lee
Isolation is freedom.