-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature Check: Check Expected Identity in Certificate #767
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
This commit adds a --to-days flag to complement --from-days which enables defining ranges to look at. Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
This commit adds a --limit flag to limit the number of checks kpromo will check for signatures Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
Add identity and issuer options plus cosign-comaptible flags to override them. Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
k8s-ci-robot
added
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
kind/feature
Categorizes issue or PR as related to a new feature.
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
area/artifacts
Issues or PRs related to the hosting of release artifacts for subprojects
area/release-eng
Issues or PRs related to the Release Engineering subproject
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
labels
Mar 13, 2023
/retest |
kpromo sigcheck now checks the signature certificate to ensure it is signed by the expected identity. Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garc铆a Veytia (Puerco) <puerco@chainguard.dev>
saschagrunert
approved these changes
Mar 14, 2023
k8s-ci-robot
added
the
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
label
Mar 14, 2023
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: puerco, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
area/artifacts
Issues or PRs related to the hosting of release artifacts for subprojects
area/release-eng
Issues or PRs related to the Release Engineering subproject
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
kind/feature
Categorizes issue or PR as related to a new feature.
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR improves the promoter's signature check code to open the image signatures and look for the expected identity. When verifying signatures, kpromo will now open the signature layer and inspect the certificate, matching it against the expected identity.
The default identity is the kubernetes signer service account (
krel-trust@k8s-releng-prod.iam.gserviceaccount.com
) and the expected OIDC identity issuer ishttps://accounts.google.com
. These can however be modified by defining two new flags:--certificate-identity
and--certificate-oidc-issuer
.The PR also introduces two quality of life features: The capability to specify date ranges of images to chack and limit the number of images to verify. Here's what the sigcheck subcommand help looks like now:
Which issue(s) this PR fixes:
NONE
Special notes for your reviewer:
馃憠 Here are some tests that can be done using this branch:
To check an unsigned image:
kpromo sigcheck registry.k8s.io/kube-controller-manager:v1.25.7
To check a signed image:
kpromo sigcheck registry.k8s.io/conformance:v1.23.17
To check an image signed with the wrong identity:
kpromo sigcheck --log-level=debug k8s.gcr.io/kube-apiserver:v1.26.0-alpha.3
/cc @cpanato
Does this PR introduce a user-facing change?