From 765ebbacfe20fd3db965713db726490f9e6945ee Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 7 Nov 2023 09:10:27 +0200 Subject: [PATCH] OIDC identity matching for keyless verification Signed-off-by: Stefan Prodan --- rfcs/0003-kubernetes-oci/README.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/rfcs/0003-kubernetes-oci/README.md b/rfcs/0003-kubernetes-oci/README.md index 429b18803d..be3e7e63c4 100644 --- a/rfcs/0003-kubernetes-oci/README.md +++ b/rfcs/0003-kubernetes-oci/README.md @@ -4,7 +4,7 @@ **Creation date:** 2022-03-31 -**Last update:** 2023-02-20 +**Last update:** 2023-11-07 ## Summary @@ -232,14 +232,26 @@ spec: ``` For verifying public artifacts which are signed using the keyless method, -the `spec.verify.secretRef` field must be omitted: +the `.spec.verify.matchOIDCIdentity` field must be used instead of + `spec.verify.secretRef`. ```yaml spec: verify: provider: cosign + matchOIDCIdentity: + - issuer: "^https://token.actions.githubusercontent.com$" + subject: "^https://github.com/org/app-repository.*$" ``` +The `matchOIDCIdentity` entries must contain the following fields: + +- `.issuer`, regexp that matches against the OIDC issuer. +- `.subject`, regexp that matches against the subject identity in the certificate. + +The entries are evaluated in an OR fashion, i.e. the identity is deemed to be +verified if any one entry successfully matches against the identity. + When using the keyless method, Flux will verify the signatures in the Rekor transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/). @@ -470,3 +482,5 @@ The feature is enabled by default. * **2022-08-29** Select layer by OCI media type released with [flux2 v0.33.0](https://github.com/fluxcd/flux2/releases/tag/v0.33.0) * **2022-09-29** Verifying OCI artifacts with Cosign released with [flux2 v0.35.0](https://github.com/fluxcd/flux2/releases/tag/v0.35.0) * **2023-02-20** Custom OCI media types released with [flux2 v0.40.0](https://github.com/fluxcd/flux2/releases/tag/v0.40.0) +* **2023-10-31** OIDC identity verification implemented in + [source-controller#1250](https://github.com/fluxcd/source-controller/pull/1250)