`cosigned` should support verifying `Fulcio` signatures #866

mattmoor · 2021-10-10T02:19:59Z

Description

Today the cosigned webhook requires folks to setup k8s://cosign-system/verification-key with the public key that should be used for verification. The webhook passes the following CheckOpts:

cosign/pkg/cosign/kubernetes/webhook/validation.go

Lines 61 to 62 in 278ad7d

    
           RootCerts:     fulcioroots.Get(), 
        
           SigVerifier:   ecdsaVerifier,

... which includes a SigVerifier based on the verification key, which sends us through this path in Verify:

cosign/pkg/cosign/verify.go

Lines 143 to 150 in 278ad7d

    
           case co.SigVerifier != nil: 
        
           	signature, err := base64.StdEncoding.DecodeString(b64sig) 
        
           	if err != nil { 
        
           		return err 
        
           	} 
        
           	if err := co.SigVerifier.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx)); err != nil { 
        
           		return err 
        
           	}

... but for Fulcio we want things to follow this path:

cosign/pkg/cosign/verify.go

Lines 151 to 184 in 278ad7d

    
           // If we don't have a public key to check against, we can try a root cert. 
        
           case co.RootCerts != nil: 
        
           	// There might be signatures with a public key instead of a cert, though 
        
           	if cert == nil { 
        
           		return errors.New("no certificate found on signature") 
        
           	} 
        
           	pub, err := signature.LoadECDSAVerifier(cert.PublicKey.(*ecdsa.PublicKey), crypto.SHA256) 
        
           	if err != nil { 
        
           		return errors.Wrap(err, "invalid certificate found on signature") 
        
           	} 
        
           	// Now verify the cert, then the signature. 
        
           	if err := TrustedCert(cert, co.RootCerts); err != nil { 
        
           		return err 
        
           	} 
        
           	signature, err := base64.StdEncoding.DecodeString(b64sig) 
        
           	if err != nil { 
        
           		return err 
        
           	} 
        
           	if err := pub.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx)); err != nil { 
        
           		return err 
        
           	} 
        
           	if co.CertEmail != "" { 
        
           		emailVerified := false 
        
           		for _, em := range cert.EmailAddresses { 
        
           			if co.CertEmail == em { 
        
           				emailVerified = true 
        
           				break 
        
           			} 
        
           		} 
        
           		if !emailVerified { 
        
           			return errors.New("expected email not found in certificate") 
        
           		} 
        
           	}

The text was updated successfully, but these errors were encountered:

mattmoor · 2021-10-10T02:25:31Z

Here's sort of what I'm thinking:

Switch from using a secret for verification-key to using a ConfigMap (since it's a public key, when specified).
When the key isn't specified, verify against the Fulcio roots.

Over time, we can use this configmap to pass additional configuration, including:

Alternate Fulcio root certs (e.g. if a custom Fulcio root is in use),
A Rekor URL to verify transparency logs.

... and likely a bunch more (e.g. stuff like CertEmail in CheckOpts).

cc @dlorenc @dekkagaijin @n3wscott for thoughts

mattmoor · 2021-10-10T02:28:20Z

I guess we could start verifying against Fulcio when no key is specified without the ConfigMap switch too, but I do think a ConfigMap switch is in our not-to-distant future 🤔

This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: sigstore#866 Signed-off-by: Matt Moore <mattomata@gmail.com>

This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: #866 Signed-off-by: Matt Moore <mattomata@gmail.com>

mattmoor · 2021-10-19T20:41:23Z

I'm going to close this, and we can open a new issue for greater configurability.

mattmoor added the enhancement New feature or request label Oct 10, 2021

mattmoor mentioned this issue Oct 10, 2021

Allow cosigned to validate Fulcio signatures. #867

Merged

mattmoor closed this as completed Oct 19, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`cosigned` should support verifying `Fulcio` signatures #866

`cosigned` should support verifying `Fulcio` signatures #866

mattmoor commented Oct 10, 2021

mattmoor commented Oct 10, 2021

mattmoor commented Oct 10, 2021

mattmoor commented Oct 19, 2021

cosigned should support verifying Fulcio signatures #866

cosigned should support verifying Fulcio signatures #866

Comments

mattmoor commented Oct 10, 2021

mattmoor commented Oct 10, 2021

mattmoor commented Oct 10, 2021

mattmoor commented Oct 19, 2021

`cosigned` should support verifying `Fulcio` signatures #866

`cosigned` should support verifying `Fulcio` signatures #866