-
Notifications
You must be signed in to change notification settings - Fork 380
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2526 from mtrmac/sigstore-multi-rekor
Add support for accepting multiple Rekor public keys
- Loading branch information
Showing
10 changed files
with
335 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -330,7 +330,9 @@ This requirement requires an image to be signed using a sigstore signature with | |
"subjectEmail", "[email protected]", | ||
}, | ||
"rekorPublicKeyPath": "/path/to/local/public/key/file", | ||
"rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"], | ||
"rekorPublicKeyData": "base64-encoded-public-key-data", | ||
"rekorPublicKeyDatas": ["base64-encoded-public-key-one-data","base64-encoded-public-key-two-data"], | ||
"signedIdentity": identity_requirement | ||
} | ||
``` | ||
|
@@ -348,13 +350,13 @@ Both `oidcIssuer` and `subjectEmail` are mandatory, | |
exactly specifying the expected identity provider, | ||
and the identity of the user obtaining the Fulcio certificate. | ||
|
||
At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present; | ||
At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present; | ||
it is mandatory if `fulcio` is specified. | ||
If a Rekor public key is specified, | ||
the signature must have been uploaded to a Rekor server | ||
and the signature must contain an (offline-verifiable) “signed entry timestamp” | ||
proving the existence of the Rekor log record, | ||
signed by the provided public key. | ||
signed by one of the provided public keys. | ||
|
||
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. | ||
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -442,6 +442,7 @@ func TestVerifyRekorFulcio(t *testing.T) { | |
require.NoError(t, err) | ||
rekorKeyECDSA, ok := rekorKey.(*ecdsa.PublicKey) | ||
require.True(t, ok) | ||
rekorKeysECDSA := []*ecdsa.PublicKey{rekorKeyECDSA} | ||
setBytes, err := os.ReadFile("fixtures/rekor-set") | ||
require.NoError(t, err) | ||
sigBase64, err := os.ReadFile("fixtures/rekor-sig") | ||
|
@@ -450,7 +451,7 @@ func TestVerifyRekorFulcio(t *testing.T) { | |
require.NoError(t, err) | ||
|
||
// Success | ||
pk, err := verifyRekorFulcio(rekorKeyECDSA, &fulcioTrustRoot{ | ||
pk, err := verifyRekorFulcio(rekorKeysECDSA, &fulcioTrustRoot{ | ||
caCertificates: caCertificates, | ||
oidcIssuer: "https://github.com/login/oauth", | ||
subjectEmail: "[email protected]", | ||
|
@@ -459,7 +460,7 @@ func TestVerifyRekorFulcio(t *testing.T) { | |
assertPublicKeyMatchesCert(t, certBytes, pk) | ||
|
||
// Rekor failure | ||
pk, err = verifyRekorFulcio(rekorKeyECDSA, &fulcioTrustRoot{ | ||
pk, err = verifyRekorFulcio(rekorKeysECDSA, &fulcioTrustRoot{ | ||
caCertificates: caCertificates, | ||
oidcIssuer: "https://github.com/login/oauth", | ||
subjectEmail: "[email protected]", | ||
|
@@ -468,7 +469,7 @@ func TestVerifyRekorFulcio(t *testing.T) { | |
assert.Nil(t, pk) | ||
|
||
// Fulcio failure | ||
pk, err = verifyRekorFulcio(rekorKeyECDSA, &fulcioTrustRoot{ | ||
pk, err = verifyRekorFulcio(rekorKeysECDSA, &fulcioTrustRoot{ | ||
caCertificates: caCertificates, | ||
oidcIssuer: "https://github.com/login/oauth", | ||
subjectEmail: "[email protected]", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.