New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adds tsa cert chain check for env var or tuf targets. #3600
base: main
Are you sure you want to change the base?
Conversation
22829ef
to
bb39074
Compare
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
bb39074
to
873791f
Compare
Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good to me, though I'm not a TSA or TUF expert.
It looks like the merge commit accidentally pulled in an unused import so this doesn't build.
This will need some tests.
var tsaLeafCertStr = `tsa_leaf.crt.pem` | ||
var tsaRootCertStr = `tsa_root.crt.pem` | ||
var tsaIntermediateCertStrPattern = `tsa_intermediate_%d.crt.pem` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nit) these could be consts
@@ -0,0 +1,75 @@ | |||
package cosign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will need a copyright header
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, sorry for the delay. Just a couple comments.
+1 to tests.
// By default, the certificates come from TUF, but you can override this for test | ||
// purposes by using an env variable `SIGSTORE_TSA_CERTIFICATE_FILE`. If using | ||
// an alternate, the file should be in PEM format. | ||
func GetTSACerts(ctx context.Context) (leaves [][]byte, intermediates [][]byte, roots [][]byte, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to support reading the chain from a provided file path specified in TSACertChainPath
, to avoid making this a breaking client change.
// By default, the certificates come from TUF, but you can override this for test | ||
// purposes by using an env variable `SIGSTORE_TSA_CERTIFICATE_FILE`. If using | ||
// an alternate, the file should be in PEM format. | ||
func GetTSACerts(ctx context.Context) (leaves [][]byte, intermediates [][]byte, roots [][]byte, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we return x509.Certificate
structs instead of byte arrays? This will cut down on repetition in the verify files if you handle unmarshalling from PEM in this function.
thanks for the feedback/comments, will try to implement in the new few weeks. |
closes #3563
Summary
Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.
Currently, the TSA cert chain is required via Cosign's cli flag, though, as per #3563, Cosign can support reading the cert chain from either an environment or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.
Release Note
SIGSTORE_TSA_CERTIFICATE_FILE
, and TUF targetsDocumentation