adds tsa cert chain check for env var or tuf targets. #3600
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ianhundere
force-pushed
the
fetches_tsa_certs_from_tuf
branch
from
22829ef
to
bb39074
Compare
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
ianhundere
force-pushed
the
fetches_tsa_certs_from_tuf
branch
from
bb39074
to
873791f
Compare
Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com>
cmurphy
reviewed
Apr 30, 2024
Comment on lines
+15
to
+17
| var tsaLeafCertStr = `tsa_leaf.crt.pem` | ||
| var tsaRootCertStr = `tsa_root.crt.pem` | ||
| var tsaIntermediateCertStrPattern = `tsa_intermediate_%d.crt.pem` |
There was a problem hiding this comment.
(nit) these could be consts
| @@ -0,0 +1,75 @@ | |||
| package cosign | |||
There was a problem hiding this comment.
This will need a copyright header
| // By default, the certificates come from TUF, but you can override this for test | ||
| // purposes by using an env variable `SIGSTORE_TSA_CERTIFICATE_FILE`. If using | ||
| // an alternate, the file should be in PEM format. | ||
| func GetTSACerts(ctx context.Context) (leaves [][]byte, intermediates [][]byte, roots [][]byte, err error) { |
There was a problem hiding this comment.
We also need to support reading the chain from a provided file path specified in TSACertChainPath, to avoid making this a breaking client change.
| // By default, the certificates come from TUF, but you can override this for test | ||
| // purposes by using an env variable `SIGSTORE_TSA_CERTIFICATE_FILE`. If using | ||
| // an alternate, the file should be in PEM format. | ||
| func GetTSACerts(ctx context.Context) (leaves [][]byte, intermediates [][]byte, roots [][]byte, err error) { |
There was a problem hiding this comment.
Should we return x509.Certificate structs instead of byte arrays? This will cut down on repetition in the verify files if you handle unmarshalling from PEM in this function.
|
thanks for the feedback/comments, will try to implement in the new few weeks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #3563
Summary
Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.
Currently, the TSA cert chain is required via Cosign's cli flag, though, as per #3563, Cosign can support reading the cert chain from either an environment or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.
Release Note
SIGSTORE_TSA_CERTIFICATE_FILE, and TUF targetsDocumentation