-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Support "keyless" verification non-Fulcio certificate authorities #2630
Comments
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
cc @znewman01 since we were chatting about this recently We definitely need a cohesive story around BYO PKI UX, since issues like this have popped up a few times. This seems like a reasonable approach, though I personally would prefer we encourage TUF usage over passing roots by flag. It's not difficult to set up a TUF repo, and it offers far more secure methods of managing root key material in one's PKI. |
Yeah I agree that passing roots by file is less secure and we should encourage folks to set up a TUF root for distribution if possible, but I think its would be nice to keep the option there even if its got the usual discouraging name like |
One thing that Zack proposed that I liked was namespacing verification with self hosted PKI. This would let us be opinionated about TUF for some verification, but allow for other verification for the BYO case. This lets us avoid calling parts of verification insecure since there’s an assumption that you know what you’re doing with self hosted. This would be a ways out obviously so adding this flag seems reasonable. |
Is the idea with namespacing self-hosted PKI to split it off into its own subcommand like e.g |
A different set of CLI commands with their own flags. The verification API should be designed to support any use case (it shouldn’t be TUF aware for example, the CLI layer should just parse the input and pass it to the verifiers). Main concern with this approach is creating even more verify functions, we already have a lot! |
Yeah agreed that the verify functions are kind of a lot, but I will say that the user experience might be better if BYO PKI has its own subcommand. I've been playing around with this BYO PKI using a step-ca configured to look kinda like Fulcio that respects OIDC tokens from my Gitea instance and I found it really tricky to understand which flags on the existing |
Flag bloat is definitely an issue. Tangential, I’m curious what the verify command looked like and how we can simplify. |
So the flow right now looks like this # Build example image with ko
KO_DOCKER_REPO=code.nfsmith.ca/nsmith/seccon ko build --bare > image
# Get a code signing cert from my step-ca
step ca certificate code@nfsmith.ca cert.pem key.pem
# Import the private key to the cosign format. (Lets get rid of this odd step in the BYO PKI experience? I'm going to delete the key right after this anyways..)
COSIGN_PASSWORD=derp cosign import-key-pair --key key.pem
# Signing
COSIGN_PASSWORD=derp cosign sign --key import-cosign.key --certificate cert.pem \
--certificate-chain bundle.pem $(cat image)
# Delete private key
rm import-cosign.key key.pem
# Verification
cosign verify --certificate cert.pem --certificate-chain bundle.pem --certificate-identity code@nfsmith.ca --certificate-oidc-issuer https://code.nfsmith.ca/ --insecure-ignore-sct $(cat image) The last bit works because of the structure of my step-ca configuration. Its adding the right Fulcio extension so that I think ideally I'd like to smooth out the experience to by
On that last note, it was easy to make step-ca kind of Fulcio-like to fit the need here, but it would be nice if |
To confirm, does your OCI image have the certificate and chain in its annotations? If you pass them on |
Yup! Sign totally works as expected and I can see the cert and chain correctly added to the OCI signature when I run e.g `crane manifest derp:sha256-blah.sig`
|
Should is the key word I guess. It doesn't work in practice because if you
don't specify a cert then the current cosign implementation loads the
Fulcio root, ignores the cert chain you specify and then fails verification
because it didn't load the CA chain correctly
|
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
…rtificate chain with non-fulcio roots (#2845) * Support keyless verification without Fulcio roots Fixes #2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca> * add unit test for keyless verification Signed-off-by: Dmitry S <dsavints@gmail.com> * fix minor typo in CHANGELOG.md Signed-off-by: Dmitry S <dsavints@gmail.com> * update docs for cosign verify Signed-off-by: Dmitry S <dsavints@gmail.com> * initial skeleton of unit test for keyless verification Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Nathan Smith <nathan@nfsmith.ca> Signed-off-by: Dmitry S <dsavints@gmail.com> Co-authored-by: Nathan Smith <nathan@nfsmith.ca>
Description
Currently we have some support for signing with x509 certificates using haven't come from a Fulcio CA and and don't chain up to a TUF root. For example
The current invocation to verify this kind of signature is a little inconvenient as you need to specify the leaf certificate like so:
This means grabbing that leaf certificate off the OCI manifest or from the Rekor bundle or something. Would be great to be able to do the same kind of invocation as Fulcio's verification like
This convenient keyless verification would be awesome for folks using a custom CA, provided they're using certificates in a similar shape that Fulcio does (Efforts to standardize these extensions like sigstore/fulcio#945 would make it easy for folks to create a CA that does this)
The text was updated successfully, but these errors were encountered: