fix: fix cert chain validation for verify-blob in non-experimental mode #2256
Conversation
Signed-off-by: Asra Ali <asraa@google.com>
|
Should add test validating that we will succeed when |
cmd/cosign/cli/verify/verify_blob.go
Outdated
| if err != nil { | ||
| return fmt.Errorf("getting Fulcio intermediates: %w", err) | ||
| } | ||
| } | ||
| co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) |
There was a problem hiding this comment.
Should we handle else for when the cert chain is set? Otherwise, the certificate wouldn't validate if it's been signed by a non-fulcio pki
There was a problem hiding this comment.
lemme see if I can also add a test here.
There was a problem hiding this comment.
Hm...I think it's pretty unexpected that --certificate-chain would mean "accept whatever cert was at the root of the chain."
This is part of why I think an explicit --certificate-root flag would be a good idea.
There was a problem hiding this comment.
We do document the the chain is the intermediates and root -
cosign/cmd/cosign/cli/options/certificate.go
Lines 67 to 70 in 04f509c
There was a problem hiding this comment.
Yea, let's. It's a bit unclear to me what should be the right behavior here, especially if I provide both a sigstore root and certificate chain.
There was a problem hiding this comment.
The behavior here should match 1.11.x (the more significant change is around checking expiration)
There was a problem hiding this comment.
If someone could help me update the release notes to close this out, that'd be great. I added one in. I'm not sure if anything breaks.
There was a problem hiding this comment.
Hm I don't see anything under "Release Notes" in the PR description.
Maybe:
The
v1.12.0release introduced a regression: whenCOSIGN_EXPERIMENTALwas not set,cosign verify-blobwould check a--certificate(without a--certificate-chainprovided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).
I think we should have a summary of the current behavior (as opposed to a diff, in the release note) somewhere too; maybe that's what we can hash out in #2254
There was a problem hiding this comment.
Sorry, I put it in the summary instead. Moved, but feel free to edit.
Sg, I'll add a longer explanation
Signed-off-by: Asra Ali <asraa@google.com>
|
Just added a test verifying that |
Codecov Report
@@ Coverage Diff @@
## main #2256 +/- ##
==========================================
+ Coverage 28.40% 28.56% +0.15%
==========================================
Files 131 131
Lines 7832 7855 +23
==========================================
+ Hits 2225 2244 +19
+ Misses 5309 5305 -4
- Partials 298 306 +8
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
cmd/cosign/cli/verify/verify_blob.go
Outdated
| if err != nil { | ||
| return fmt.Errorf("getting Fulcio intermediates: %w", err) | ||
| } | ||
| } | ||
| co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) |
There was a problem hiding this comment.
Hm...I think it's pretty unexpected that --certificate-chain would mean "accept whatever cert was at the root of the chain."
This is part of why I think an explicit --certificate-root flag would be a good idea.
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
cmd/cosign/cli/verify/verify_blob.go
Outdated
| if err != nil { | ||
| return fmt.Errorf("getting Fulcio intermediates: %w", err) | ||
| } | ||
| } | ||
| co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) |
There was a problem hiding this comment.
If we're sure that this matches the behavior from v1.11.x, and we explain it more clearly in the help text, I'm okay with dealing with this problem later.
|
@cpanato as soon as possible I think. Release notes should be specified in the PR description |
Signed-off-by: Asra Ali asraa@google.com
Summary
--certificate-chainis not passed intoverify-blob.In non-experimental mode, we incorrectly only loaded Fulcio roots to verify against when
certRef == "".When a
certRef != ""in non-experimental mode, like, user provides cert with offline bundle without specifying a custom cert chain, then we would NOT load in the Fulcio roots. This would cause certificate validation failure.Instead, whenever
certChain == ""we will load in fulcio roots in non-experimental mode, either if you provide a cert or a bundle.Release Note
--certificate-chainis not passed intoverify-blob. The v1.12.0 release introduced a regression: whenCOSIGN_EXPERIMENTALwas not set, cosignverify-blobwould check a--certificate(without a--certificate-chainprovided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).Documentation