Cosign Panic When Signing with Yubikey Hardware Token

[Kynson]

Description
When trying to sign something (I have tested sign for image and sign-blob) with a Yubikey 5C NFC result in a goroutine panic:

$ cosign sign --sk --slot 'authentication' $IMAGE_DIGEST
panic: interface conversion: interface is nil, not crypto.Signer

goroutine 1 [running]:
github.com/sigstore/cosign/v3/pkg/cosign/pivkey.(*Key).SignMessage(0x140008412d8?, {0x1060e7180?, 0x140006502a0?}, {0x105d13dc0?, 0x1?, 0x14000a7acf0?})
	github.com/sigstore/cosign/v3/pkg/cosign/pivkey/pivkey.go:273 +0x1cc
github.com/sigstore/cosign/v3/internal/key.(*SignerVerifierKeypair).SignData(0x1400038b780, {0x10611dd00, 0x107f45c80}, {0x1400031c480, 0x111, 0x120})
	github.com/sigstore/cosign/v3/internal/key/svkeypair.go:132 +0x1c8
github.com/sigstore/sigstore-go/pkg/sign.Bundle({0x106100420, 0x14000650240}, {0x10612d8f0, 0x1400038b780}, {{0x1060e7d40, 0x14000a7acc0}, 0x0, {0x0, 0x0, 0x0}, ...})
	github.com/sigstore/sigstore-go@v1.1.4/pkg/sign/signer.go:68 +0xd0
github.com/sigstore/cosign/v3/pkg/cosign/bundle.SignData({0x10611dd38, 0x1400063b7a0}, {0x106100420, 0x14000650240}, {0x10612d8f0, 0x1400038b780}, {0x0?, 0x0}, {0x14000a41400?, 0x2a8?, ...}, ...)
	github.com/sigstore/cosign/v3/pkg/cosign/bundle/sign.go:140 +0x930
github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon.WriteNewBundleWithSigningConfig({_, _}, {0x1, {0x16d6b3488, 0xe}, {0x0, 0x0}, {0x104cb7236, 0x1b}, {0x104cb2bce, ...}, ...}, ...)
	github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon/common.go:534 +0x1fc
github.com/sigstore/cosign/v3/cmd/cosign/cli/sign.signDigestBundle({_, _}, {{{_, {_, _}}, {_, _}}, {_, _}, {_, ...}}, ...)
	github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/sign.go:200 +0x610
github.com/sigstore/cosign/v3/cmd/cosign/cli/sign.SignCmd.func1({0x10611dd38, 0x1400063b7a0}, {0x10611e2e8, 0x1400063b770})
	github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/sign.go:141 +0x2f8
github.com/sigstore/cosign/v3/pkg/oci/walk.SignedEntity.func1({0x10611dd38?, 0x1400063b7a0?}, {0x10611e2e8, 0x1400063b770})
	github.com/sigstore/cosign/v3/pkg/oci/walk/walk.go:35 +0x34
github.com/sigstore/cosign/v3/pkg/oci/mutate.Map({0x10611dde0, 0x140000f1180}, {0x10611e2e8, 0x1400063b770}, 0x140008428d8)
	github.com/sigstore/cosign/v3/pkg/oci/mutate/map.go:48 +0x6c
github.com/sigstore/cosign/v3/pkg/oci/walk.SignedEntity({0x10611dde0?, 0x140000f1180?}, {0x10611e2e8?, 0x1400063b770?}, 0x1?)
	github.com/sigstore/cosign/v3/pkg/oci/walk/walk.go:34 +0x3c
github.com/sigstore/cosign/v3/cmd/cosign/cli/sign.SignCmd({_, _}, _, {0x1, {0x16d6b3488, 0xe}, {0x0, 0x0}, {0x104cb7236, 0x1b}, ...}, ...)
	github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/sign.go:133 +0x814
github.com/sigstore/cosign/v3/cmd/cosign/cli.Sign.func1(0x140008b3808, {0x14000148600, 0x1, 0x6})
	github.com/sigstore/cosign/v3/cmd/cosign/cli/sign.go:137 +0x2d8
github.com/spf13/cobra.(*Command).execute(0x140008b3808, {0x140001485a0, 0x6, 0x6})
	github.com/spf13/cobra@v1.10.2/command.go:1015 +0x7d4
github.com/spf13/cobra.(*Command).ExecuteC(0x14000690f08)
	github.com/spf13/cobra@v1.10.2/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x104c967db?)
	github.com/spf13/cobra@v1.10.2/command.go:1071 +0x1c
main.main()
	github.com/sigstore/cosign/v3/cmd/cosign/main.go:64 +0x3b8

Key Pair Info: Both Ed25519 and ECCP384 key pair fail.

Note: This key is generated by Yubico Authenticator on device (not imported, cosign piv-tool attestation --slot 'authentication' is successful) as I cannot use cosign piv-tool generate-key due to #3742.

Note 2: I also tried to use pkcs#11, but as described in this discussion. Unfortunately, I have to recompile cosign for this to have a chance to work.

Version
Installed with nix darwin, compiled with pivkey and pkcs11key tags

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v3.0.5
GitCommit:     unknown
GitTreeState:  clean
BuildDate:     unknown
GoVersion:     go1.25.7
Compiler:      gc
Platform:      darwin/arm64

YubiKey Firmware Version: 5.7.1

[salrashid123]

theres some codepath which is calling the Key.Close() call prematurely which causes everything to nil

can you check if that works using the edits in func (k *Key) Close() { below and recompiling.

diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go
index 59cd5ea8..0a69764f 100644
--- a/cmd/cosign/cli/pkcs11cli/commands.go
+++ b/cmd/cosign/cli/pkcs11cli/commands.go
@@ -98,6 +98,11 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string)
 	defer ctx.Destroy()
 	defer ctx.Finalize()
 
+	_, err = ctx.GetSlotList(true)
+	if err != nil {
+		return nil, fmt.Errorf("error getting slotlist %w", err)
+	}
+
 	// Get token Info.
 	var tokenInfo pkcs11.TokenInfo
 	tokenInfo, err = ctx.GetTokenInfo(uint(slotID))
diff --git a/pkg/cosign/pkcs11key/pkcs11key.go b/pkg/cosign/pkcs11key/pkcs11key.go
index 50dfb1ed..c37403ad 100644
--- a/pkg/cosign/pkcs11key/pkcs11key.go
+++ b/pkg/cosign/pkcs11key/pkcs11key.go
@@ -187,6 +187,9 @@ func GetKeyWithURIConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
 			cert, _ = ctx.FindCertificate(nil, config.KeyLabel, nil)
 		}
 	}
+	if err != nil {
+		return nil, err
+	}
 
 	return &Key{ctx: ctx, signer: signer, cert: cert}, nil
 }
@@ -265,9 +268,10 @@ func (k *Key) SignerVerifier() (signature.SignerVerifier, error) {
 }
 
 func (k *Key) Close() {
-	k.ctx.Close()
+	fmt.Println(">>>>>>> close called")
+	// k.ctx.Close()
 
-	k.signer = nil
-	k.cert = nil
-	k.ctx = nil
+	// k.signer = nil
+	// k.cert = nil
+	// k.ctx = nil
 }```

[salrashid123]

looks like the piv codpath is also closing somewher

## build with pivkey
go build -tags=pkcs11key,pivkey cmd/cosign/main.go


cosign  sign-blob  --sk --slot 'signature'  --bundle /tmp/artifact.sigstore.json /tmp/message.txt
Using payload from: /tmp/message.txt
Signing artifact... \  key: 
Please tap security key...
Error: signing /tmp/message.txt: signing bundle: error signing bundle: pin longer than 8 bytes
error during command execution: signing /tmp/message.txt: signing bundle: error signing bundle: pin longer than 8 bytes

(i don't know what the pin error is about but i do have atlest COSIGN_PKCS11_PIN)

---

diff --git a/pkg/cosign/pivkey/pivkey.go b/pkg/cosign/pivkey/pivkey.go
index 4f765bbc..c83d2b23 100644
--- a/pkg/cosign/pivkey/pivkey.go
+++ b/pkg/cosign/pivkey/pivkey.go
@@ -80,12 +80,12 @@ func GetKeyWithSlot(slot string) (*Key, error) {
 }
 
 func (k *Key) Close() {
-       k.Pub = nil
-       k.Priv = nil
+       //k.Pub = nil
+       //k.Priv = nil
 
-       k.slot = nil
-       k.pin = ""
-       k.card.Close()
+       //k.slot = nil
+       //k.pin = ""
+       //k.card.Close()
 }

[Kynson]

I read the code for the signcommon module to try to find out what code is trying to close the Key, and I found that this is potentially due to GetKeyPairToken trying to close the SignerVerifierupon exit with defer, which in turns close the Key. Moving the close logic to WriteNewBundleWithSigningConfig as follows managed to allow me to go further. (Although it now complains about not able to find SAN, but this is due to the certificate on the key, not related to this issue)

I am not a go programmer, so I can't do a very detailed analysis. Maybe need someone to dig deeper and find a better fix.

diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go
index 6b11d45..ff5f871 100644
--- a/cmd/cosign/cli/signcommon/common.go
+++ b/cmd/cosign/cli/signcommon/common.go
@@ -107,7 +107,8 @@ func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain
        certBytes = sv.Cert
        defer func() {
                if sv != nil {
-                       sv.Close()
+                       fmt.Println("sv close in get keypair and token (ignored)")
+                       // sv.Close()
                }
        }()
 
@@ -512,7 +513,8 @@ func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.Log
 
 // WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer.
 func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, bundleOpts CommonBundleOpts, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) error {
-       keypair, _, certBytes, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
+       keypair, sv, certBytes, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
+       defer sv.Close()
        if err != nil {
                return fmt.Errorf("getting keypair and token: %w", err)
        }

Output:

$ ./main sign-blob --sk --slot 'authentication' --signing-config ~/cosign.json ./LICENSE                                                                                           21:36:59
sv close in get keypair and token (ignored)
Using payload from: ./LICENSE
Signing artifact... -  key: 
Please tap security key...
Error: signing ./LICENSE: signing bundle: error signing bundle: failed to summarize certificate: no Subject Alternative Name found
error during command execution: signing ./LICENSE: signing bundle: error signing bundle: failed to summarize certificate: no Subject Alternative Name found