-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify command: support keyless verification using only a provided certificate chain with non-fulcio roots #2845
verify command: support keyless verification using only a provided certificate chain with non-fulcio roots #2845
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2845 +/- ##
==========================================
+ Coverage 30.32% 30.67% +0.35%
==========================================
Files 151 151
Lines 9451 9469 +18
==========================================
+ Hits 2866 2905 +39
+ Misses 6140 6111 -29
- Partials 445 453 +8
|
Oh lovely! Thanks for picking this up @dmitris |
86347cb
to
4682b8c
Compare
(planning to work on this the weak after Easter - after April 11) |
4682b8c
to
c15ccc8
Compare
c15ccc8
to
94efc78
Compare
cc @znewman01 @woodruffw This relates to the conversation we've been having. If we go through with this, it would assume that the chain in the bundle contains the root. Note that Cosign already does this, with nit for the title, can we update to reflect this, something like "Support providing a bundle to verify with non-Fulcio roots", because identity-based verification is already suppported |
94efc78
to
8ebdf9c
Compare
We are running for an internal PoC a version of cosign with this modification, and I think we do not change the command-line parameters - we call it like this:
@haydentherapper - do you mean that we should introduce the
identity-based verification is, but you cannot verify the image without the Fulcio roots, and I believe this Is the essence of this change (please correct me if I'm wrong!). I think with this we can fix the issue on the "Bad News" slide of @nsmith5's Seattle talk https://youtu.be/d5vROySf1I8?t=1726 28:45. |
e28a86c
to
e048e76
Compare
Sorry @dmitris, I got my wires crossed, I was thinking this was about Your PR title suggestion sounds good. For a small change, can we add "only", "verify command: support keyless verification using only a provided certificate chain with non-fulcio roots", because it is possible to do keyless verification with non-fulcio roots now, you just have to specify the leaf cert with |
e048e76
to
6c192e5
Compare
Thanks for pinging me in here!
Making sure I understand: would the changes in this PR mean that including a root in the bundle's chain would be an intended use case? If that's correct, then I'd argue this should be removed entirely rather than expanded upon: including (and trusting) the bundled root is no different from accepting a self-signed signature. (It's possible I completely misunderstood, in which case please ignore me!) |
Docs change for sigstore/cosign#2845. For 'cosign verify', `--cert-chain` is sufficient, an additional `--cert` parameter for the leaf certificate is no longer required. Signed-off-by: Dmitry S <dsavints@gmail.com>
Docs change for sigstore/cosign#2845. For 'cosign verify', `--cert-chain` is sufficient, an additional `--cert` parameter for the leaf certificate is no longer required. Signed-off-by: Dmitry S <dsavints@gmail.com>
8a987e7
to
cd5d4a1
Compare
The current state is that you can specify the certificate chain to verify the provided certificate. The root is not provided out of band - It's been noted on another issue that we need to correct this, I think we'll probably just tackle that when we implement support for the new bundle format. This proposed change, for only So the question is, would we rather make the current, suboptimal behavior more uniform, or stop making any changes to the chain until we mandate provided roots out of band? |
cd5d4a1
to
fdeb6a8
Compare
Got it, thanks for explaining! That sounds like a logistical choice for |
IMO this all goes back to #2472 — the "chain" concept is really confusing, and the Given that, I think it's reasonable to make the behavior be (1) configure the trusted certificates, then (2) get the cert from wherever you can find it. |
fdeb6a8
to
d3a5b13
Compare
for the first TODO in the description, "Add PR for docs with examples of this kind of verification", see sigstore/docs#153, preview https://deploy-preview-153--docssigstore.netlify.app/cosign/verify/#keyless-verification-using-only-a-provided-certificate-chain-with-non-fulcio-roots or the attached screenshots: |
@haydentherapper would you (or other reviewers) insist on having an e2e test for this feature in this PR, or could I do it in a follow-up? I did test it manually and it works [for me] as expected. I'm not familiar with the e2e tests, and the related documentation I believe is still TODO (https://github.com/sigstore/cosign/blob/main/CONTRIBUTING.md) 😄 Trying to run test/e2e_test.sh
[...]
2023/04/25 18:45:18 GET /v2/cosign-e2e/referrers/sha256:a43304747e8d511d77dcbab6ece8dafc57e8dab2eed5cf2afb50ce95a85262c7 404 METHOD_UNKNOWN We don't understand your method + url
2023/04/25 18:45:18 GET /v2/cosign-e2e/manifests/sha256-a43304747e8d511d77dcbab6ece8dafc57e8dab2eed5cf2afb50ce95a85262c7 404 MANIFEST_UNKNOWN Unknown manifest
2023/04/25 18:45:19 GET /v2/
2023/04/25 18:45:19 GET /v2/cosign-e2e/manifests/latest
2023/04/25 18:45:19 GET /v2/
2023/04/25 18:45:19 GET /v2/cosign-e2e/manifests/sha256-a43304747e8d511d77dcbab6ece8dafc57e8dab2eed5cf2afb50ce95a85262c7.sig
2023/04/25 18:45:19 GET /v2/cosign-e2e/blobs/sha256:8a3a2d50844ea1a43c3a308952e8b3b5b4ad08cacc36b10fc7555671c0c57c13
2023/04/25 18:45:20 GET /v2/
2023/04/25 18:45:20 DELETE /v2/cosign-e2e/manifests/latest
2023/04/25 18:45:21 GET /v2/
2023/04/25 18:45:21 DELETE /v2/cosign-e2e/manifests/sha256-a43304747e8d511d77dcbab6ece8dafc57e8dab2eed5cf2afb50ce95a85262c7.sig
FAIL
FAIL github.com/sigstore/cosign/v2/test 542.888s
FAIL Full output of [1] https://sigstore.slack.com/archives/C01PZKDL4DP/p1681925607818049 |
d3a5b13
to
32a90b4
Compare
Yeah, this e2e is not really documented, but looking at the GH workflows
You also need |
32a90b4
to
6836ca7
Compare
6836ca7
to
830a122
Compare
Docs change for sigstore/cosign#2845. For 'cosign verify', `--cert-chain` is sufficient, an additional `--cert` parameter for the leaf certificate is no longer required. Signed-off-by: Dmitry S <dsavints@gmail.com>
830a122
to
341d835
Compare
I have put together a "one-shot" / automated script that goes through the keyless verification with non-fulcio root flow: https://github.com/dmitris/cosign-keyless - https://github.com/dmitris/cosign-keyless/blob/main/run.sh is the script, As expected, it fails with the trunk version of |
25baec9
to
ff1b5c1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for trying to get tests working, but I think it's clear that there's no great way to test this out besides a manual test. Given you've shown it works, I'm fine with this change. Can you just clean up the duplicated tests?
Fixes sigstore#2630 Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
ff1b5c1
to
9f53227
Compare
@haydentherapper removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@znewman01 Any other thoughts? I'm fine with this since we already do support providing the trust root via --cert-chain, this is just an optimization to also not require --certificate.
|
Signed-off-by: Dmitry S <dsavints@gmail.com>
9f53227
to
6196278
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing this!
Docs change for sigstore/cosign#2845. For 'cosign verify', `--cert-chain` is sufficient, an additional `--cert` parameter for the leaf certificate is no longer required. Signed-off-by: Dmitry S <dsavints@gmail.com>
…rt-chain' without '--cert' (sigstore/cosign pr2845) (#153) * cosign verify --cert-chain without --cert Docs change for sigstore/cosign#2845. For 'cosign verify', `--cert-chain` is sufficient, an additional `--cert` parameter for the leaf certificate is no longer required. Signed-off-by: Dmitry S <dsavints@gmail.com> * address PR feedback Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com>
This is a continuation of the work started by @nsmith5 in #2631 and uses the code of that PR rebased on the current trunk.
Fixes #2630
Summary
This change adds support for verifying keyless signatures from the specified
--certificate-chain
instead of assuming Fulcio and loading its roots and without requiring to pass the certificate in addition to the certificate chain.As @haydentherapper noted in the comment below, the keyless verification without the Fulcio certificate roots is already possible but requires passing both certificate-chain and certificate.
This would allow folks to more easily verify signatures from a custom CA (see #2630 for additional discussion).
Release Note
Allow verifying signatures from a custom CA without needing leaf certificate
Documentation
Will attach an PR for docs here if folks agree on the parent issue that its worth doing
TODO
The TODO list as this idea is still in discussion etc.
Add PR for docs with examples of this kind of verification (done: 'cosign verify' for keyless verification with non-Fulio roots - '--cert-chain' without '--cert' (sigstore/cosign pr2845) docs#153)
Add some end to end tests of this (done: https://github.com/dmitris/cosign-keyless)