Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Azure KMS #399

Closed
cpanato opened this issue Jul 1, 2021 · 7 comments
Closed

Support Azure KMS #399

cpanato opened this issue Jul 1, 2021 · 7 comments
Assignees
@cpanato
Labels
enhancement New feature or request

Comments

@cpanato
Copy link
Member

cpanato commented Jul 1, 2021

Description

Support Azure KMS
@cpanato cpanato added the enhancement New feature or request label Jul 1, 2021
@cpanato cpanato self-assigned this Jul 1, 2021
@cpanato cpanato mentioned this issue Jul 1, 2021
Closed
@developer-guy
Copy link
Member

We are currently working on this with my colleague @Dentrax

@cpanato
Copy link
Member Author

cpanato commented Jul 6, 2021

@developer-guy there is a PR in WIP sigstore/sigstore#76 please take a look on that

@containerpope
Copy link

@cpanato I think discovered a problem in the current implementation, when the signature is verified with the local cosign.pub cert that gets created automatically when you initialize the KeyVault. (signing worked like a charm)

cosign verify -key cosign.pub XYZ.azurecr.io/example-func:1.0.0
error: no matching signatures:
failed to verify signature

When I verify via the kms flag, it works fine:

cosign verify -key azurekms://XYZ-kv.vault.azure.net/cosign XYZ.azurecr.io/example-func:1.0.0

Verification for XYZ.azurecr.io/example-func:1.0.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":"XYZ.azurecr.io/example-func"},"image":{"docker-manifest-digest":"sha256:e231349fdf394a570e0cb84fe5109bc6980f52b84dd219fcae9922922a715d7d"},"type":"cosign container image signature"},"optional":{"tag":"1.0.0"}}

Is there something wrong with the cosign.pub that gets persisted to disk when you initialize the KeyVault? I have also tested an override with the public-key command, sadly I get the same result:

cosign public-key -key azurekms://XYZ-kv.vault.azure.net/cosign > cosign.pub 
cosign verify -key cosign.pub XYZ.azurecr.io/example-func:1.0.0error: no matching signatures:
failed to verify signature

Did I do something wrong in the commands?

@cpanato
Copy link
Member Author

cpanato commented Jul 24, 2021

@containerpope thanks for raising this, i will take a look and reproduce and see how to fix it
sorry if that cause any trouble

@containerpope
Copy link

@cpanato no worries, I was just testing on our dev environment. If you need more data or logs feel free to reach out and I will try to provide some.

@containerpope
Copy link

@cpanato I investigated further and downloaded the certificate also with the az tooling.

az keyvault key download --vault-name vault-name -n cosign -e PEM -f mykey.pem

The certificates are identically, so it seems, that the cosign verify does just not work properly with the local certificate. In case you use the key vault kms command to verify it, it works. Is there any difference between the implementations?

@containerpope containerpope mentioned this issue Aug 28, 2021
Closed
@dlorenc
Copy link
Member

dlorenc commented Aug 28, 2021

Closing this issue now, support is in although there are bugs!

@dlorenc dlorenc closed this as completed Aug 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpanato cpanato

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlorenc @cpanato @containerpope @developer-guy