Open
Description
I've just been looking at adding support for publishing results from GitLab CI for a few of my projects.
I've just hit #511 with my test repo so I thought I'd try using a non-nested group which now fails with something slightly different:
2024/02/20 12:01:49 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: repository and branch of cert doesn't match that of request, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}
There's some more details in my thread in the OpenSSF Slack, if that's of help.
The ephemeral certificate has the following data within it:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5a:fa:aa:f8:2a:df:9c:09:8d:6a:2e:e3:84:be:16:ff:bd:13:77:79
Signature Algorithm: ecdsa-with-SHA384
Issuer: O=sigstore.dev, CN=sigstore-intermediate
Validity
Not Before: Feb 20 12:01:34 2024 GMT
Not After : Feb 20 12:11:34 2024 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:93:8a:e6:ab:41:f6:65:e3:f6:2c:e8:6b:91:85:
a5:be:09:d1:b6:7e:da:15:4b:b1:f7:0e:a3:83:32:
f6:d9:fc:53:d7:43:cb:20:ab:ba:26:63:7f:16:fa:
6a:9d:34:be:8f:39:50:dd:f8:fa:56:d9:a0:5a:2b:
19:ea:ba:d5:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Subject Key Identifier:
2D:3A:F3:CB:D9:28:8F:FB:95:CA:05:AC:2B:3A:67:96:25:C7:24:E1
X509v3 Authority Key Identifier:
DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
X509v3 Subject Alternative Name: critical
URI:https://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
1.3.6.1.4.1.57264.1.1:
https://gitlab.com
1.3.6.1.4.1.57264.1.8:
..https://gitlab.com
1.3.6.1.4.1.57264.1.9:
.Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
1.3.6.1.4.1.57264.1.10:
.(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
1.3.6.1.4.1.57264.1.11:
.
gitlab-hosted
1.3.6.1.4.1.57264.1.12:
.7https://gitlab.com/jamietanna/hacking-scorecards-gitlab
1.3.6.1.4.1.57264.1.13:
.(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
1.3.6.1.4.1.57264.1.14:
..refs/heads/main
1.3.6.1.4.1.57264.1.15:
..55110726
1.3.6.1.4.1.57264.1.16:
..https://gitlab.com/jamietanna
1.3.6.1.4.1.57264.1.17:
..305304
1.3.6.1.4.1.57264.1.18:
.Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
1.3.6.1.4.1.57264.1.19:
.(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
1.3.6.1.4.1.57264.1.20:
..push
1.3.6.1.4.1.57264.1.21:
.Ihttps://gitlab.com/jamietanna/hacking-scorecards-gitlab/-/jobs/6212550642
1.3.6.1.4.1.57264.1.22:
..public
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
Timestamp : Feb 20 12:01:34.423 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:32:4E:FC:E3:4B:90:C6:14:2F:06:1C:1C:
12:13:42:1C:34:3C:4A:1B:E3:5D:C0:A4:DA:8C:26:28:
B4:CE:F6:26:02:20:11:3B:0C:CF:1B:FC:38:AB:E1:AC:
69:C8:5C:71:F6:51:66:C6:FA:33:A3:B3:11:D6:8F:E3:
36:E8:BE:FA:D6:B1
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:31:00:e3:26:30:93:3d:d1:17:59:e4:87:bb:18:99:
76:01:5d:71:8e:2e:7e:79:58:d5:0f:6c:1c:31:eb:4d:f8:9a:
e8:6a:d2:a1:47:34:9e:2c:36:af:96:70:0d:5a:8c:76:0e:02:
30:25:a1:23:24:44:d6:78:79:49:99:9d:f0:6d:50:47:23:f7:
8f:82:5b:62:09:91:59:91:72:5d:4e:c6:09:a5:a3:4c:67:9a:
a3:e4:b8:ed:60:eb:ac:5c:02:d6:a9:b8:55
I'm taking advantage of sigstore/cosign#2864 to use a Sigstore-specific ID token to provide non-interactive authentication, and then using the CI_JOB_JWT to actually sign the data
Metadata
Metadata
Assignees
Labels
No labels