Error: "bundle does not contain cert for verification, please provide public key"

[mendhak]

I am trying to learn how to use cosign, and wanted to try it out on one of the Python sigstore bundles on this page (go to bottom):

https://www.python.org/downloads/release/python-3140a1/

Now, using the pip module works, but I wanted to try using the cosign CLI for learning and consistency. When I did so,

cosign verify-blob Python-3.14.0a1.tgz --bundle Python-3.14.0a1.tgz.sigstore --cert-identity hugo@python.org --cert-oidc-issuer https://github.com/login/oauth

I get this error:

bundle does not contain cert for verification, please provide public key

Why is it asking for a public key, where can I get it from?

Would it be visible in the Rekor log?

[haydentherapper]

"bundle" is unfortunately an overloaded term in Cosign. When used in the command you've provided, "bundle" refers to a different structured output than what sigstore-python (or other sigstore libraries like sigstore-go, sigstore-js, etc) output.

You need to add --new-bundle-format for this command to work.

cc @steiza who added support, and there's some documentation in https://blog.sigstore.dev/cosign-verify-bundles/

[mendhak]

Yes that was it,

cosign verify-blob Python-3.14.0a1.tgz --bundle Python-3.14.0a1.tgz.sigstore --cert-identity hugo@python.org --cert-oidc-issuer https://github.com/login/oauth --new-bundle-format

and the blog link looks useful, from that I learned about npm and Github Artifact's usage. Thanks for teaching me!