Verify the certificate chain against the Fulcio root trust by default

[wata727]

Summary

See #2134

Currently, the verification performed by cosign verify-blob --cert does not verify the certificate chain, so you cannot guarantee that the certificate was correctly issued by Fulcio. So you need to explicitly pass Fulcio's root certificate via the --cert-chain option.

cosign initialize
cat ~/.sigstore/root/targets/fulcio_intermediate_v1.crt.pem > fulcio_chained.crt.pem
echo >> fulcio_chained.crt.pem
cat ~/.sigstore/root/targets/fulcio.crt.pem >> fulcio_chained.crt.pem
echo >> fulcio_chained.crt.pem
cat ~/.sigstore/root/targets/fulcio_v1.crt.pem >> fulcio_chained.crt.pem

cosign verify-blob --cert checksum.txt.pem --cert-chanin fulcio_chained.crt.pem ...

However, this way of getting root certificates is not secure. Ideally, it should be retrieved by a TUF client. After discussing this matter in #2134, @haydentherapper says that there is room for changing the default behavior.

This PR will change the default behavior from not verifying the certificate chain if --cert-chain is not passed to verifying the certificate chain against the Fulcio root trust getting by a TUF client.

Release Note

• Changed the default behavior from not verifying the certificate chain if --cert-chain is not passed to verifying the certificate chain against the Fulcio root trust getting by a TUF client.

Documentation

• The description of the --certificate option needs to be changed.

[wata727]

I have two things to discuss:

• Should this change be followed by similar commands such as cosign verify?
• Is there a good way to add tests for this implementation? verify_blob_test.go didn't seem to have any tests for verification.

[codecov-commenter]

Codecov Report

Merging #2139 (b4887ea) into main (128f8fb) will decrease coverage by 0.05%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2139      +/-   ##
==========================================
- Coverage   26.28%   26.23%   -0.06%     
==========================================
  Files         130      130              
  Lines        7602     7617      +15     
==========================================
  Hits         1998     1998              
- Misses       5347     5362      +15     
  Partials      257      257              

Impacted Files	Coverage Δ
cmd/cosign/cli/options/certificate.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_attestation.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go	9.72% <0.00%> (-0.16%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

The same changes need to be made in https://cs.github.com/sigstore/cosign/blob/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94/cmd/cosign/cli/verify/verify_attestation.go?q=org%3Asigstore+CheckCertificatePolicy#L141 and https://cs.github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/cmd/cosign/cli/verify/verify.go?q=org%3Asigstore+CheckCertificatePolicy#L162

[haydentherapper]

Testing is unfortunately a bit rough. Check out e2e_test.go, but it might be hard to fit in a test for this, especially with TUF. We may need a TODO.

[haydentherapper]

/hold, I want to give a bit more thought to this and will get back to you on Monday.

cc @znewman01

[wata727]

The same changes need to be made

Fixed eda267b

Testing is unfortunately a bit rough. Check out e2e_test.go, but it might be hard to fit in a test for this, especially with TUF. We may need a TODO.

Understood. I'll take a little deeper look at the e2e_test.go implementation.

[znewman01]

Hey, thanks for this! (and thanks for looping me in, @haydentherapper)

I haven't looked too closely at the code but this change seems like much better/safer default behavior.

I just want to think through workarounds for anyone who was relying on the old behavior. The right thing to do in such a case is probably to provide the public key directly, rather than via a cert; this makes it much clearer what you're asking for. Maybe we should refer users to the step certificate key command? IIUC it should Just Work™

Was there anything specific you wanted my feedback on?

[patflynn]

I'm probably mis-interpreting this, but for cases where the user has signed a blob with a user provided custom key, why would we want to verify against the fulcio root?

[haydentherapper]

@znewman01 Just looking for a second opinion! Generally this looked good to me, beyond the potentially breaking change.

@patflynn One thought is a user is very unlikely to provide a certificate in that case (I think), they'd be providing a key. We've got a few options for providing verification material:

• No key or cert - Either:
  • Fetch the certificate+chain from OCI. Verify the certificate+chain against the TUF root
  • Fetch the certificate from Rekor for blob signing. Extract the verification key. (I don't actually like this since Rekor is meant to be a witness to an event and not storage, but let's discuss that more in another issue) <-- Note that this doesn't verify the cert against a chain because previously Rekor didn't support uploading the full cert chain. This option is just kinda messy.
• A key - Use the key to verify
• A certificate+chain - Verify the chain, and extract the verification key from the cert. Don't verify against TUF.
• A certificate w/o chain - Current behavior is to just extract the verification key. My question is, is anyone providing a certificate that's not from Fulcio in this case? If the vast majority of users provide a Fulcio certificate, then we should verify against the chain from TUF.

The workaround would either be extracting the key themselves (Like Zach mentioned) or providing the full certificate chain.

[patflynn]

@haydentherapper got it. that makes sense. Thanks for clarifying.

[asraa]

nit: Fulcio root provided in the TUF root?

[wata727]

I didn't mention it to TUF here because I have a concern about the description would be too long. If we should mention it, please let me know so I fix it.

[haydentherapper]

LGTM, just need to fix the failing test. Thanks!

[dlorenc]

The failure is unrelated and the fix is over here: sigstore/scaffolding#277

[dlorenc]

I'll merge while we wait for the fix.