When using a local PEM key file, a PKCS#11 key, or a KMS key a user should be able to specify --cert and something like --chain to specify the dev.sigstore.cosign/certificate and dev.sigstore.cosign/chain.

The following already works to specify the certificate, and correctly adds it to the cosign signature:

cosign sign --key awskms:///... --cert cert.pem example.com/foo

However, --cert is silently ignored in the following command (the certificate from the token is used instead of the provided one): (this is a separate bug really, should I create a new issue for it?)

cosign sign --key pkcs11:... --cert cert.pem example.com/foo

It is not possible with either of these to specify the CA chain. If my certificate is signed by existing PKI, I would like to include the intermediate certificates and root in the signature.

Two possible implementations would be:

1. Add a new argument like --chain which includes a chain of certificates.
2. Allow the --cert file to include both the leaf cert, and a chain of intermediates.
   • One issue with this is that a user may want to use the public key on the PKCS#11 token and provide a chain to include in the signature. This option would force them to extract the public key from their token to include in this file. If the chain is supplied separately with --chain they do not need to.

Providing the certificate chain is incompatible with using Fulcio, and should return an error.