Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cosigned validate against remote sig src #1754

Merged
merged 1 commit into from Apr 18, 2022
Merged

Cosigned validate against remote sig src #1754

merged 1 commit into from Apr 18, 2022

Conversation

DennyHoang
Copy link
Contributor

@DennyHoang DennyHoang commented Apr 13, 2022
edited

Signed-off-by: Denny Hoang dhoang@vmware.com

Summary

  • Implementing Authority.Sources to allow verification against signatures in different registry locations
  • Also noticed a bug where we are not creating remoteOptions with the keychain and therefore could not verify against private repositories
  • RemoteOpts follow the same unmarshalJSON override as publicKeys. This is due to the remoteOption type not being supported by json [un]marshal
  • RemoteOpts are parsed and stored as a part of the CIP config to reduce parsing within the validation loop

Ticket Link

Fixes #1651

Release Note

* Specifying remote source for signatures in cosigned

cc: @coyote240 @hectorj2f @vaikas

@codecov-commenter
Copy link

codecov-commenter commented Apr 13, 2022
edited

Codecov Report

Merging #1754 (d6021d6) into main (0c232da) will increase coverage by 0.08%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1754      +/-   ##
==========================================
+ Coverage   30.55%   30.63%   +0.08%     
==========================================
  Files         143      143              
  Lines        8651     8661      +10     
==========================================
+ Hits         2643     2653      +10     
  Misses       5709     5709              
  Partials      299      299
Impacted Files Coverage Δ
...cosigned/v1alpha1/clusterimagepolicy_validation.go 92.17% <100.00%> (+0.74%) ⬆️
pkg/cosign/kubernetes/webhook/validator.go 82.56% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c232da...d6021d6. Read the comment docs.

@hectorj2f hectorj2f self-requested a review April 13, 2022 21:45
vaikas
vaikas reviewed Apr 14, 2022
View reviewed changes
pkg/cosign/kubernetes/webhook/clusterimagepolicy/clusterimagepolicy_types.go
@@ -44,6 +47,9 @@ type Authority struct {
Sources []v1alpha1.Source `json:"source,omitempty"`
// +optional
CTLog *v1alpha1.TLog `json:"ctlog,omitempty"`
// RemoteOpts are not marshalled because they are an unsupported type
// +optional
RemoteOpts []remote.Option `json:"-"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we can't marshal it, how is it going to be used? I know this is draft, but just noticed this and just curious how we envision the flow from Reconciler->CIP-Resolved->Webhook to behave.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We keep the sources as a string in authority.source[].oci
RemoteOpts are populated during the unmarshal that occurs when store.go creates the clusterImagePolicy object from the configmap. We use an overridden func (a *Authority) UnmarshalJSON(data []byte) error to then populate the RemoteOpts at that time.

So summary

  • Reconciler->CIP-resolved->webhook->configmap will store source[].oci as string
  • configmap->webhook in store.go is where we do the pre-processing for remoteOpts where the string gets converted during unmarshal

@DennyHoang DennyHoang force-pushed the cip-source branch 4 times, most recently from 9921d4b to bb6f3fa Compare April 14, 2022 18:49
@DennyHoang DennyHoang force-pushed the cip-source branch 2 times, most recently from d6021d6 to c443e6b Compare April 14, 2022 19:05
@DennyHoang DennyHoang marked this pull request as ready for review April 14, 2022 19:05
@DennyHoang DennyHoang force-pushed the cip-source branch 3 times, most recently from e830229 to 3573cc0 Compare April 18, 2022 15:31
@DennyHoang
Cosigned validate against remote sig src
bb454ba 
Add github workflow steps for remote signatures

Signed-off-by: Denny Hoang <dhoang@vmware.com>
vaikas
vaikas approved these changes Apr 18, 2022
View reviewed changes
Copy link
Contributor

@vaikas vaikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesomesauce! Thanks for doing!

@vaikas vaikas merged commit f89d691 into sigstore:main Apr 18, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 18, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@DennyHoang @mlieberman85
Cosigned validate against remote sig src (sigstore#1754)
1b04637 
Add github workflow steps for remote signatures

Signed-off-by: Denny Hoang <dhoang@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

@vaikas vaikas vaikas approved these changes

Assignees

@DennyHoang DennyHoang

Labels
None yet
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.

Implement CIP.Source
4 participants
@DennyHoang @codecov-commenter @hectorj2f @vaikas