Add built-in function support to verify PGP signatures

[platten]

We have a use case for verifying annotations containing GPG signatures for Kubernetes manifests. It would be great to have a built-in function in rego which would support that!

[tsandall]

One thing worth mentioning is that users can easily extend OPA with custom built-in functions: https://www.openpolicyagent.org/docs/edge/extensions/#custom-built-in-functions-in-go

Since we try to avoid pulling thirdparty dependencies into OPA and this would likely require golang.org/x/crypto (which we do not currently vendor) I'd recommend checking out the method above. OPA builds easily and the extension process is quite lightweight--so check it out.

That said golang.org/x/crypto exports a lot of useful functions and I could imagine many users wanting those inside Rego. @patrick-east @koponen-styra do either of you have any opinions here? I'm assuming that as long OPA relies on stable exported APIs from golang.org/x/crypto this might not be a problem?

[koponen-styra]

Having golang.org/x/crypto as a dependency sounds useful, indeed. I'm my limited experience with the library its exported APIs have been stable.

[patrick-east]

+1 for golang.org/x/crypto being pretty safe as a dependency

[ashutosh-narkar]

@platten would you be able to provide an example of how you plan to use the proposed builtin? I would imagine the builtin takes the public key, signed file and signature file content.

[eshaanm25]

Hey @ashutosh-narkar! I know this thread is a bit old, but I wanted to add some interest for a GPG decryption function. GPG is often utilized to sign images and is natively used by container runtimes (like CRI-O) to verify if images can be deployed to an environment. Since a great use case of OPA is in Kubernetes, a built-in GPG decryption function would allow for shift-left verification of an image's GPG signature validity prior to deployment using OPA.

I think a GPG decryption function that takes GPG encrypted data and a public key as an input, and outputs the decrypted data would be a great addition to OPA's built-in function library.

[ashutosh-narkar]

@eshaanm25 that sounds like a useful builtin. Would you like to contribute? We are happy to help you through the process.

[eshaanm25]

I'd love to! Would you happen to have some resources or initial guidance for contributing? I'll take a look at the repository tonight and also attend the next open-hours session as well 😄

EDIT: Taking a look at the built-ins, I see topdown/crypto.go as the home for many of the crypto functions. I think GPG functions would be an addition to this collection, what do you think?

[ashutosh-narkar]

I think GPG functions would be an addition to this collection, what do you think?

That looks right. You can find an example of adding a builtin here and also checkout the code for the recently added builtins for more examples. General code contribution guidelines can be found here. Thanks for looking into this!

[ashutosh-narkar]

Closing for now. We can re-open based on future need and demand.

[yogisinha]

Hi @ashutosh-narkar , I can pick this one if this is needed.