-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept URI for Sigstore Signed Images #2182
Conversation
Allows for container images signatures with a URI instead of a email address as the SAN. This is needed in certain cases such as using a github workflow to sign a container using the github actions OIDC token. The URI field was added to the `fulcioTrustRoot` struct and associated functions were modifed/created. Logic to handle either having a URI or email address as the SAN was also implemented. Signed-off-by: Luke Yang <[email protected]>
Hello @mtrmac, this is a small patch I've made to the |
Thanks for working on this! Without digging into the details, I think (unless I'm misunderstanding something here) this should be a PR against https://github.com/containers/image - any changes to the vendored sources here would be lost when updating. BTW a common thing when developing Go is to use the replace directive so that you can build a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
- Yes, this needs to be a PR against containers/image, not against Skopeo . Please file one and we’ll continue there.
- I’m not immediately sure the URI field is the one we should target. Can you post the full
openssl x509 -text
of the generated certificate, please? https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#directory documents various more specific fields, maybe this should actually target one (or more?) of them. OTOH just matching on SubjectAltName URIs might be more general. I don’t have a strong opinion so far. - For c/image/signature, it would also need unit tests with close-to-perfect coverage (both of the policy parsing and implementation/enforcement).
if !slices.Contains(untrustedCertificate.EmailAddresses, f.subjectEmail) && !strings.Contains(untrustedCertificate.URIs[0].String(), f.URI) { | ||
if len(untrustedCertificate.EmailAddresses) > 0 { | ||
return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Required email %s not found (got %#v)", | ||
f.subjectEmail, | ||
untrustedCertificate.EmailAddresses)) | ||
} | ||
if len(untrustedCertificate.URIs) > 0 { | ||
return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Required URI %s not found (got %#v)", | ||
f.URI, | ||
untrustedCertificate.URIs)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ If the policy requires both an email address and an URI, this must not accept signatures which only have one of them- This is invoking
slices.Contains(…, "")
if the field is not set. That’s at the very least unclean. - I suspect the error reporting logic should also be tightened. It must primarily decide based on the policy, not on attacker-set
untrusted*
fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the policy requires both an email address and an URI, this must not accept signatures which only have one of them
I believe this would be an invalid policy with cosign. One or the other. A signed container won't have all the OIDs from my experience it will have a subset based on whether it was signed via the interactive cosign workflow or keyless method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then such an invalid policy must be rejected at parsing/initialization time, not processed in an unexpected way.
if gotSubjectEmail && !gotURI { | ||
opts = append(opts, PRSigstoreSignedFulcioWithSubjectEmail(tmp.SubjectEmail)) | ||
} | ||
if !gotSubjectEmail && gotURI { | ||
opts = append(opts, PRSigstoreSignedFulcioWithURI(tmp.URI)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is silently ignoring the options if both are specified?!
Moved to containers/image#2235 |
Fixes coreos/rpm-ostree#4272 (comment)
Allows for container images signatures with a URI instead of a email
address as the SAN. This is needed in certain cases such as using a github workflow to sign a container using the github actions OIDC token.
The URI field was added to the
fulcioTrustRoot
struct and associated functions were modifed/created. Logic to handle either having a URI or email address as the SAN was also implemented.Testing:
Copy and store
fulcio_v1.crt.pem
to/etc/pki/containers/fulcio.sigstore.dev.pub
andrekor.pub
to/etc/pki/containers/rekor.sigstore.dev.pub
, both of which can be found at: https://github.com/sigstore/root-signing/blob/main/README.mdConfigure
/etc/containers/policy.json
/etc/containers/registries.d/ghcr.io.yaml