Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load in intermediate cert pool from TUF #1804

Merged
merged 1 commit into from Apr 26, 2022
Merged

Load in intermediate cert pool from TUF #1804

merged 1 commit into from Apr 26, 2022

Conversation

haydentherapper
Copy link
Contributor

With the v3 TUF root, the intermediate CA certificate will be included,
so that if the intermediate signing key was compromised, the
intermediate certificate could be revoked by removing it from the TUF
targets and replacing it with a trusted certificate.

This change loads the intermediate certificate from TUF. However, we
don't want to force all users to follow this structure - They may choose
to use CRLs to detect revoked intermediates. Also, I don't want to
enforce TUF usage in the Verify package. Therefore, for TUF, we lazily create
a certificate pool only if an intermediate certificate is found, and if
it's not found, then VerifyImageSignature will create a pool using the
chain provided in the annotation.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes

Release Note

Added support for loading intermediate certificates from TUF on verification

@haydentherapper
Load in intermediate cert pool from TUF
9de6cf4 
With the v3 TUF root, the intermediate CA certificate will be included,
so that if the intermediate signing key was compromised, the
intermediate certificate could be revoked by removing it from the TUF
targets and replacing it with a trusted certificate.

This change loads the intermediate certificate from TUF. However, we
don't want to force all users to follow this structure - They may choose
to use CRLs to detect revoked intermediates. Also, I don't want to
enforce TUF usage in the Verify package. Therefore, for TUF, we lazily create
a certificate pool only if an intermediate certificate is found, and if
it's not found, then VerifyImageSignature will create a pool using the
chain provided in the annotation.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

cc @asraa

@codecov-commenter
Copy link

codecov-commenter commented Apr 26, 2022
edited

Codecov Report

Merging #1804 (9de6cf4) into main (db323cd) will decrease coverage by 0.02%.
The diff coverage is 43.47%.

@@            Coverage Diff             @@
##             main    #1804      +/-   ##
==========================================
- Coverage   32.73%   32.71%   -0.03%     
==========================================
  Files         147      147              
  Lines        9313     9330      +17     
==========================================
+ Hits         3049     3052       +3     
- Misses       5907     5920      +13     
- Partials      357      358       +1
Impacted Files Coverage Δ
cmd/cosign/cli/verify/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_attestation.go 0.00% <0.00%> (ø)
cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go 36.36% <47.05%> (+0.42%) ⬆️
pkg/cosign/verify.go 29.54% <50.00%> (+0.06%) ⬆️
pkg/cosign/tuf/client.go 61.68% <0.00%> (-0.82%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db323cd...9de6cf4. Read the comment docs.

@dlorenc
Copy link
Member

dlorenc commented Apr 26, 2022

Do you want this in 1.8?

@haydentherapper
Copy link
Contributor Author

If 1.8 hasn't been released yet, that'd be great!

@dlorenc dlorenc merged commit 367c79e into sigstore:main Apr 26, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 26, 2022
@dlorenc dlorenc mentioned this pull request Apr 26, 2022
Merged
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@haydentherapper @mlieberman85
Load in intermediate cert pool from TUF (sigstore#1804)
bb7c39d 
With the v3 TUF root, the intermediate CA certificate will be included,
so that if the intermediate signing key was compromised, the
intermediate certificate could be revoked by removing it from the TUF
targets and replacing it with a trusted certificate.

This change loads the intermediate certificate from TUF. However, we
don't want to force all users to follow this structure - They may choose
to use CRLs to detect revoked intermediates. Also, I don't want to
enforce TUF usage in the Verify package. Therefore, for TUF, we lazily create
a certificate pool only if an intermediate certificate is found, and if
it's not found, then VerifyImageSignature will create a pool using the
chain provided in the annotation.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper haydentherapper deleted the int-from-tuf branch January 10, 2023 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

@asraa asraa asraa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@haydentherapper @codecov-commenter @dlorenc @asraa