New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fulcio signing implementation #1785
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
6eafaba
to
b3ae511
Compare
Rebased, ready for review. |
Oops, still one path to try. |
... to be also used by Fulcio. Note that the atomic: transport uses a skopeo/... user agent, we don't care to change that. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Tested manually with Skopeo. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This seems, at best, useful for debugging and as an escape hatch for other missing OIDC operations. FIXME: test this at least once manually. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
b87e89d
to
cd6511f
Compare
I have (manually) tested the “static ID token” path now. Ready for review and potentially merging now. |
(Adding unit tests tracked in #1601.) |
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This adds API to use Fulcio-generated short-lived certificates.
Depends on #1784 .
I still need to test one part but it seems broadly ready.
I don’t feel too confident about the API, but it seems close enough, and we can always add more option functions, or a new
signature/sigstore/fulciov2
package (still operating onsignature/sigstore/internal.Signer
)