Cosign 3.0.2: Intermediate certificates are not included in signatures having the new bundle format #4562
Description
Description
We are working here with cosign and - as proposed - with the new bundle format and sign the payload by using a self-hosted fulcio version. During the signing process we recognized that the intermediate certificates from the leaf-certificate to the Root-CA are not included in the signing metadata.
Also using --certificate-chain= is useless with the new bundle format. No matter if I am specifying a certificate chain or an invalid file there is no difference in creating the signature and its metadata.
For being able to validate a signature in the new bundle format I need currently the entire certificate chain in the TUF root or the trusted_root.json which on our point of view especially a problem for air gapped scenarios in which we can't fetch on demand a state of the art version of the valid trust anchors.
When switching back to the old bundle format, I can see that the certificate chain and the leaf certificate are included in the old bundle format signature metadata.
Version
cosign 3.0.2 and the self-compiled version being provided by the main branch