X509StoreContextError: unable to get local issuer certificate

[tetsuo-cpp]

I noticed this exception raised when running verification:

Traceback (most recent call last):
  File "/Users/tetsuo/Code/sigstore-python/env/bin/sigstore", line 8, in <module>
    sys.exit(main())
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/Users/tetsuo/Code/sigstore-python/sigstore/_cli.py", line 299, in _verify
    if verify(
  File "/Users/tetsuo/Code/sigstore-python/sigstore/_verify.py", line 128, in verify
    store_ctx.verify_certificate()
  File "/Users/tetsuo/Code/sigstore-python/env/lib/python3.9/site-packages/OpenSSL/crypto.py", line 1896, in verify_certificate
    raise self._exception_from_context()
OpenSSL.crypto.X509StoreContextError: [20, 0, 'unable to get local issuer certificate']

This is trivial to trigger for me. All I need to do is this:

$ sigstore sign test_file.txt --output-signature --output-certificate
$ sigstore verify test_file.txt --cert test_file.txt.crt --signature test_file.txt.sig

From looking around, the error seems to indicate that we might need to pass the entire certificate chain into verification.

[tetsuo-cpp]

Weird... I tried with an older certificate I had lying around and I didn't have this problem. So it's something specific to the ones being returned from Fulcio now. I wonder what has changed.

[tetsuo-cpp]

Still unsure about this. The Fulcio signing key doesn't appear to have changed. When I write the chain certificates to the disk, I still have the same problem when I use the openssl tool directly.

I'm doing:

$ openssl verify -CAfile sigstore/_store/fulcio.crt.pem -untrusted chain0.crt -untrusted chain1.crt test_file.txt.crt
test_file.txt.crt:
error 20 at 0 depth lookup:unable to get local issuer certificate

[di]

I believe Fulcio did introduce an intermediate certificate, see sigstore/cosign#1774

[tetsuo-cpp]

I believe Fulcio did introduce an intermediate certificate, see sigstore/cosign#1774

Thanks! That looks promising. I'll take a look.

[tetsuo-cpp]

@di Yep, that was the issue. Thanks for that. I'll make a PR now.