Add --signing-algorithm flag #3497
Conversation
cmd/cosign/cli/sign/sign.go
Outdated
| // Always default to ECDSA_SHA2_256_NISTP256 for now | ||
| if ko.SigningAlgorithm == pb_go_v1.KnownSignatureAlgorithm_KNOWN_SIGNATURE_ALGORITHM_UNSPECIFIED { | ||
| ko.SigningAlgorithm = pb_go_v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256 | ||
| } | ||
|
|
||
| if !cosign.ClientAlgorithmsRegistry.HasAlgorithmDetails(ko.SigningAlgorithm) { | ||
| return fmt.Errorf("unsupported signing algorithm: %s", ko.SigningAlgorithm.String()) | ||
| } | ||
|
|
||
| algorithmDetails, err := cosign.ClientAlgorithmsRegistry.GetAlgorithmDetails(ko.SigningAlgorithm) | ||
| if err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
This does not make too much sense when the user specifies --key. What should be the behaviour in that case? Right now a user can even specifies a e.g. RSA key with --key and this check would not detect it (because the signing algorithm defaults to ECDSA_SHA2_256_NISTP256).
How do we want cosign to behave? Shall the registry block also --key algorithms? If so, we should probably add RSA to the list of accepted client signing algorithms as that is already valid in the current state.
|
Shall we add the |
There was a problem hiding this comment.
Do we need a client algorithm registry for the sign path? There are roughly three places the client interacts with a key: Generation, signing, and verification.
For generation, it makes sense that the client specify which algorithms are supported for the generated key. This can be for both ephemeral and long-lived key generation.
For the verification path, supported algorithms could be a part of the verification policy, so that makes sense to allow a user to specify a set of trusted algorithms.
For signing, I'm not sure it's needed. When a key is provided, the user is specifying that's the key they want to use (whether it was generated ephemerally or self-managed). The backend (fulcio or rekor) could choose to reject it, which will be surfaced as a response error.
* Use ED25519ph algorithm with sign/verify-blob commands Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
ret2libc
force-pushed
the
signing-algorithm-flag
branch
from
a11042f
to
0cfa089
Compare
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
ret2libc
force-pushed
the
signing-algorithm-flag
branch
from
c8076cb
to
2990915
Compare
Summary
Give the user the option to choose which signing algorithm to use when generating keypairs (#3271).
Code based on #3479 .
Release Note
Documentation