Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cosign to v2 #1096

Merged
merged 2 commits into from
May 22, 2023
Merged

Update cosign to v2 #1096

merged 2 commits into from
May 22, 2023

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented May 15, 2023
edited by hiddeco
Loading

Fix: #979

@stefanprodan stefanprodan added area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests dependencies Pull requests that update a dependency labels May 15, 2023
@stefanprodan stefanprodan force-pushed the cosign-v2 branch 3 times, most recently from afc324d to 0c95ab5 Compare May 15, 2023 10:02
@hiddeco hiddeco self-assigned this May 17, 2023
@hiddeco hiddeco marked this pull request as ready for review May 17, 2023 13:22
@hiddeco hiddeco removed their assignment May 17, 2023
@hiddeco hiddeco force-pushed the cosign-v2 branch 2 times, most recently from 0d81e75 to 1460f33 Compare May 17, 2023 14:42
@stefanprodan stefanprodan requested a review from a team May 17, 2023 15:21
@souleb
Copy link
Member

souleb commented May 22, 2023

That seems good to me.

For future improvements these are the things I think we should address:

  • appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
  • verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI):
    cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com
  • k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
  • rekor-url, for private rekor instances
  • signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

@hiddeco hiddeco mentioned this pull request May 22, 2023
Open
stefanprodan and others added 2 commits May 22, 2023 11:08
@stefanprodan @hiddeco
Update cosign to v2
f58c229 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@hiddeco
oci: sort remaining quirks in cosign verify logic
0ec4978 
This commit properly sets `IgnoreTlog` to `true` when a public key is
provided to check the signature against, which matches the (silent)
default behavior from cosign v1.

However, during this exercise it has become apparant that this
assumption isn't necessarily true. As you can theoretically have a
custom key and a tlog entry.

Given this, we should inventarise the possible configuration options
and the potential value they have to users (e.g. defining a custom
Rekor URL seems to be valuable as well), and extend our API to
facilitate these needs.

In addition to the above, the CTLog public keys are now properly
retrieved to avoid a `none of the CTFE keys have been found` error.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
@hiddeco hiddeco merged commit 22aee8d into main May 22, 2023
10 checks passed
@hiddeco hiddeco deleted the cosign-v2 branch May 22, 2023 09:34
@stefanprodan stefanprodan mentioned this pull request May 24, 2023
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@souleb souleb souleb approved these changes

Assignees
No one assigned
Labels
area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests dependencies Pull requests that update a dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update cosign to v2.0.2
3 participants
@stefanprodan @souleb @hiddeco