What Hapens After the signing cert Expires/Rotates?

[zachbugay]

What happens after the certificate is expired/rotated? Are the images signed with the old cert still valid, or would they stop working at that point? Would they all have to be resigned with the new image in order to be accepted into the cluster?

Lets say I have SigningCertA and it lasts for 12 months. I have 100 images signed with that cert and stored in my Container Registry. Ratify is up and running and using the SigningCertA.

12 Months go by. I have relatively few releases,

After 12 months, and 1 day something bad happens to my cluster and I need run these images again. Technically, the certificate has expired, and has been rotated. So now Ratify has a new cert.

Does this mean that all my images signed with the old certificate will no longer run in my cluster assuming Ratify is pointing to the rotated cert?

[susanshi]

Hi @zachbugay , sorry about the delay in response, we will definitely do more regularly discussion checkin in the future.
If you do now hear from us, the best way to reach us is to join community meeting or start a thread on Ratify channel on slack.

Just to confirm the scenario, are you using the built in notation verifier or the cosign plugin for signature validation?
For rotation scenarios, you are correct, currently once the certificate expires, notation signature verification will fail. Notation is working on timestamp support to improve this scenario, @yizha1 will be able to provide more details.

[yizha1]

Hi, @zachbugay

I assume that you signed images using Notation. Since Cosign keyless signing eliminates the need for users to manage certificates. Additionally, Cosign key signing with a certificate chain supports timestamping. By specifying a timestamping server during cosign signing, you can verify images even after their certificates expire.

Unfortunately, Notation (version 1.1.0) lacks built-in timestamping support, which means signature verification may fail if signing certificates expire. However, the Notary Project community is actively working on adding timestamping support. In the upcoming Notation 1.2.0 release, timestamping will be available. Until then, a workaround involves re-signing the image using rotated certificates and configuring the Notation verifier accordingly. If the root CA certificate remains unchanged and you’ve set up an inline certificate store in Ratify, no additional configurations are needed on the Ratify side. If you configured an AKV store, you need to re-apply the related CR to trigger Ratify to pull the latest version of signing certificate and certificate chain.

Let us know if this answered your question.