chainloop-dev · jiparis · Apr 30, 2025 · Apr 30, 2025 · Apr 30, 2025 · Apr 30, 2025
diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx
@@ -270,7 +270,7 @@ chainloop attestation init [flags]
 Options
 
 ```
---contract string         name of an existing contract or the path/URL to a contract file, to attach it to the auto-created workflow (it doesn't update an existing one)
+--contract string         name of an existing contract or the path/URL to a contract file to be used in the attestation. It will update any existing contract for the workflow
 --contract-revision int   revision of the contract to retrieve, "latest" by default
 --dry-run                 do not record attestation in the control plane, useful for development
 -h, --help                    help for init

diff --git a/app/cli/internal/action/attestation_init.go b/app/cli/internal/action/attestation_init.go
@@ -154,7 +154,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		attestationID          string
 		blockOnPolicyViolation bool
 		// Timestamp Authority URL for new attestations
-		timestampAuthorityURL string
+		timestampAuthorityURL, signingCAName string
 	)
 
 	// Init in the control plane if needed including the runner context
@@ -180,6 +180,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		workflowMeta.Organization = runResp.GetResult().GetOrganization()
 		blockOnPolicyViolation = runResp.GetResult().GetBlockOnPolicyViolation()
 		timestampAuthorityURL = runResp.GetResult().GetSigningOptions().GetTimestampAuthorityUrl()
+		signingCAName = runResp.GetResult().GetSigningOptions().GetSigningCa()
 		if v := workflowMeta.Version; v != nil {
 			workflowMeta.Version.Prerelease = runResp.GetResult().GetWorkflowRun().Version.GetPrerelease()
 		}
@@ -198,7 +199,10 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		AttestationID:          attestationID,
 		Runner:                 discoveredRunner,
 		BlockOnPolicyViolation: blockOnPolicyViolation,
-		SigningOptions:         &crafter.SigningOpts{TimestampAuthorityURL: timestampAuthorityURL},
+		SigningOptions: &crafter.SigningOpts{
+			TimestampAuthorityURL: timestampAuthorityURL,
+			SigningCAName:         signingCAName,
+		},
 	}
 
 	if err := action.c.Init(ctx, initOpts); err != nil {

diff --git a/app/controlplane/api/controlplane/v1/workflow_run.pb.go b/app/controlplane/api/controlplane/v1/workflow_run.pb.go
diff --git a/app/controlplane/api/controlplane/v1/workflow_run.proto b/app/controlplane/api/controlplane/v1/workflow_run.proto
@@ -138,6 +138,8 @@ message AttestationServiceInitResponse {
   message SigningOptions {
     // TSA service to be used for signing
     string timestamp_authority_url = 1;
+    // If set, the attestation wil be signed with ephemeral certificates issued by this CA
+    string signing_ca = 2;
   }
 }
 

diff --git a/app/controlplane/api/gen/frontend/attestation/v1/crafting_state.ts b/app/controlplane/api/gen/frontend/attestation/v1/crafting_state.ts
diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/workflow_run.ts b/app/controlplane/api/gen/frontend/controlplane/v1/workflow_run.ts
diff --git a/...controlplane/api/gen/jsonschema/attestation.v1.Attestation.SigningOptions.jsonschema.json b/...controlplane/api/gen/jsonschema/attestation.v1.Attestation.SigningOptions.jsonschema.json
diff --git a/app/controlplane/api/gen/jsonschema/attestation.v1.Attestation.SigningOptions.schema.json b/app/controlplane/api/gen/jsonschema/attestation.v1.Attestation.SigningOptions.schema.json
diff --git a/.../jsonschema/controlplane.v1.AttestationServiceInitResponse.SigningOptions.jsonschema.json b/.../jsonschema/controlplane.v1.AttestationServiceInitResponse.SigningOptions.jsonschema.json
diff --git a/.../gen/jsonschema/controlplane.v1.AttestationServiceInitResponse.SigningOptions.schema.json b/.../gen/jsonschema/controlplane.v1.AttestationServiceInitResponse.SigningOptions.schema.json
diff --git a/app/controlplane/internal/service/attestation.go b/app/controlplane/internal/service/attestation.go
@@ -185,9 +185,16 @@ func (s *AttestationService) Init(ctx context.Context, req *cpAPI.AttestationSer
 		BlockOnPolicyViolation: org.BlockOnPolicyViolation,
 	}
 
+	resp.SigningOptions = &cpAPI.AttestationServiceInitResponse_SigningOptions{}
 	tsa := s.signingUseCase.GetCurrentTSA()
 	if tsa != nil {
-		resp.SigningOptions = &cpAPI.AttestationServiceInitResponse_SigningOptions{TimestampAuthorityUrl: tsa.URL.String()}
+		resp.SigningOptions.TimestampAuthorityUrl = tsa.URL.String()
+	}
+
+	ca := s.signingUseCase.GetSigningCA()
+	if ca != nil {
+		// Return the name of the configured signing CA
+		resp.SigningOptions.SigningCa = ca.GetName()
 	}
 
 	return &cpAPI.AttestationServiceInitResponse{Result: resp}, nil

diff --git a/app/controlplane/pkg/biz/signing.go b/app/controlplane/pkg/biz/signing.go
@@ -142,6 +142,17 @@ func (s *SigningUseCase) GetCurrentTSA() *TimestampAuthority {
 	return nil
 }
 
+// GetSigningCA returns the current CA authority (if any) used for signing
+func (s *SigningUseCase) GetSigningCA() ca.CertificateAuthority {
+	// No CA configured
+	if s.CAs == nil {
+		return nil
+	}
+
+	// Return signing CA (it can be nil if not configured)
+	return s.CAs.SignerCA
+}
+
 // CreateSigningCert signs a certificate request with a configured CA, and returns the full certificate chain
 func (s *SigningUseCase) CreateSigningCert(ctx context.Context, orgID string, csrRaw []byte) ([]string, error) {
 	if s.CAs == nil {

diff --git a/app/controlplane/pkg/biz/signing_test.go b/app/controlplane/pkg/biz/signing_test.go
@@ -57,6 +57,10 @@ func (e TestCA) GetRootChain(ctx context.Context) ([]*x509.Certificate, error) {
 	return tb[0], nil
 }
 
+func (e TestCA) GetName() string {
+	return "test"
+}
+
 func NewTestCA() (*TestCA, error) {
 	ca, err := ephemeralca.NewEphemeralCA()
 	if err != nil {

diff --git a/app/controlplane/pkg/ca/ca.go b/app/controlplane/pkg/ca/ca.go
@@ -33,6 +33,8 @@ type CertificateAuthority interface {
 	CreateCertificateFromCSR(ctx context.Context, principal identity.Principal, csr *x509.CertificateRequest) (*ca.CodeSigningCertificate, error)
 	// GetRootChain returns the root certificate chain
 	GetRootChain(ctx context.Context) ([]*x509.Certificate, error)
+	// GetName returns the name of the CA
+	GetName() string
 }
 
 type CertificateAuthorities struct {

diff --git a/app/controlplane/pkg/ca/ejbca/ejbca.go b/app/controlplane/pkg/ca/ejbca/ejbca.go
@@ -33,6 +33,8 @@ import (
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
 
+const CAName = "ejbCA"
+
 type EJBCA struct {
 	// Connection settings
 	// EJBCA installation. ie https://localhost/ejbca/
@@ -177,7 +179,7 @@ func (e EJBCA) CreateCertificateFromCSR(ctx context.Context, principal identity.
 }
 
 func (e EJBCA) GetRootChain(_ context.Context) ([]*x509.Certificate, error) {
-	// current implementation relies on the rootCAPath from the config. Future implementation should use
+	// The current implementation relies on the rootCAPath from the config. Future implementation should use
 	//  /v1/ca and /v1/ca/{subject_dn}/certificate/download APIs instead
 	if e.rootCAPath != "" {
 		caCert, err := os.ReadFile(e.rootCAPath)
@@ -188,3 +190,7 @@ func (e EJBCA) GetRootChain(_ context.Context) ([]*x509.Certificate, error) {
 	}
 	return nil, nil
 }
+
+func (e EJBCA) GetName() string {
+	return CAName
+}
diff --git a/app/controlplane/pkg/ca/fileca/fileca.go b/app/controlplane/pkg/ca/fileca/fileca.go
@@ -25,6 +25,8 @@ import (
 	"github.com/sigstore/fulcio/pkg/identity"
 )
 
+const CAName = "fileCA"
+
 type FileCA struct {
 	ca fulcioca.CertificateAuthority
 }
@@ -50,3 +52,7 @@ func (f FileCA) GetRootChain(ctx context.Context) ([]*x509.Certificate, error) {
 	}
 	return tb[0], nil
 }
+
+func (f FileCA) GetName() string {
+	return CAName
+}