-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sugar for common GitHub Actions (and other CI/CD workflows) #2691
Comments
In #2805 @philpennock makes some good, related points: namely, we may want to do this for other code forges. Please check out that issue for a proposed syntax as well. How will we get from here to there (you can ignore if you're not interested in implementation details)? First, the way that we check predicates like those from the Then, once that's tamed, the existing flags can "compile" to a predicate. This compilation process will make it really easy to add "sugar" that prevents common antipatterns, support testability and debuggability, and allows consistency across verification commands. CC @ivanayov as this issue is similar to those you've been working on; it might be a fun one to take a look at—if you're interested, happy to dig into it with you. CC @asraa and @haydentherapper who have been interested in related issues in the past |
Love this idea! As Phil said, what you want is to know that what you're verifying came from some repository - You shouldn't need to know the exact structure of the subject and issuer. cc @laurentsimon you might be interested in this too for slsa-verifier |
I really like the idea of moving towards a policy-based approach because of the flexibility it adds. Sigstore could even provide a set of canned policies (or policy templates) for different use cases. One of the things to consider here is how the certificate data will be available as an input to the policy. Currently, package signature
default allow := false
allow {
input.predicateType == "https://slsa.dev/provenance/v0.2"
} In other words, If we want policies to evaluate the certificate, we need to pass that to the policy. There are different approaches that come to mind:
I like option 3, or a variation of it, because it allows us to add attributes in the future without breaking the format. On the Enterprise Contract side, we chose a variation of 3. But in our case, we combine input:
image:
signatures:
- {... cert ...}
attestations:
- predicateType: ...
signatures:
- {... cert ...} It would be really great if we could come up with an approach where a certain policy could work with cosign, Enterprise Contract, sigstore/policy-controller, etc... The benefit for cosign is that the same policy could be used in the |
(This is written about GitHub so we have a specific example, but applies to all future CI/CD providers!)
Right now, you need to deal with a menagerie of flags to verify GitHub actions workflows (
cosign verify-blob
):We've talked about simplifying this (CC @haydentherapper) by splitting into specific
verify-github
subcommands. This helps a bit, but still requires values for many (all?) of these fields. That's required for full power for sure.But @sudo-bmitch points out that there's a really common query we can optimize for: did this signature come from a workflow in "its" GitHub repository? This would boil down to something like just
--certificate-github-workflow-repository
.Need to be careful here but I think if we're clear about what it's checking, we can make this common use case really nice! Let's think through this if we're building a
verify-github
command.The text was updated successfully, but these errors were encountered: