-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload entire certificate PEMs to rekor. #129
Conversation
This replaces #95 |
Trying to understand the point behind this. I assume this way, we can (1) audit that a certificate signed by fulcio roots exited at one point and (2) parse the certificate to find out CN (the signing party) from the TLog? |
4051413
to
2c414dd
Compare
Hey, Great question. we first chatted about this here I think: sigstore/rekor#215 The idea is that we can do a "join" between the two transaction logs if we have the full certificate. We'd like to know that the key in Rekor is from a certificate in the transparency log, if we store the entire certificate then we can easily do that lookup. |
Signed-off-by: Dan Lorenc <dlorenc@google.com>
Here's what this looks like: $ ./cosign sign ghcr.io/dlorenc/signed-container
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=UYaH7536FsxE0ua_k-O68q7MvhBLpfsVZ-m_C6Pvo-U&code_challenge_method=S256&nonce=1qLW9dq5UMA4ZteVRPKFTEdnkoB&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=1qLW9jJvvUPmcTVLwGW1ArV45HJ
Pushing signature to: ghcr.io/dlorenc/signed-container:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.cosign
tlog entry created with index: 2243
$ step certificate inspect <(rekor-cli get --log-index=2243 --format=json | jq -r .Body.RekordObj.signature.publicKey.content | base64 -D)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4712192806030886202998146511552931340840872625 (0xd34d520f06198966a3672b58f2aa4a49dc2ab1)
Signature Algorithm: ECDSA-SHA384
Issuer: O=sigstore.dev,CN=sigstore
Validity
Not Before: Mar 27 15:33:22 2021 UTC
Not After : Mar 27 15:53:15 2021 UTC
Subject: O=lorenc.d@gmail.com,CN=lorenc.d@gmail.com
Subject Public Key Info:
Public Key Algorithm: ECDSA
Public-Key: (256 bit)
X:
c2:e4:c9:e5:2b:86:4e:66:66:10:35:bc:9a:6d:26:
1a:8d:b8:15:32:d4:93:31:2d:55:52:cb:93:50:d3:
2b:14
Y:
70:07:8f:7c:63:56:2f:aa:d6:62:46:65:70:e6:99:
99:52:b4:e7:33:81:61:5a:fd:95:93:0d:02:0e:25:
51:f5
Curve: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
14:0A:B7:B8:5E:FC:4F:AC:73:19:76:EA:4E:B5:0F:B9:A9:A1:37:57
X509v3 Authority Key Identifier:
keyid:C8:C5:1D:00:41:9A:24:29:32:51:24:EB:0D:AE:4A:ED:4A:06:D3:EC
Authority Information Access:
CA Issuers - URI:http://privateca-content-603fe7e7-0000-2227-bf75-f4f5e80d2954.storage.googleapis.com/ca36a1e96242b9fcb146/ca.crt
X509v3 Subject Alternative Name:
email:lorenc.d@gmail.com
Signature Algorithm: ECDSA-SHA384
30:66:02:31:00:ea:20:f5:c3:5b:9f:22:65:51:42:14:ed:2b:
56:60:54:5a:03:74:de:c0:90:0d:e2:69:ab:20:5f:65:8e:ef:
7c:ba:a9:44:d1:06:bd:4c:b5:ca:65:77:30:81:a1:d1:4e:02:
31:00:d4:14:8d:46:cd:21:11:d5:ae:3d:96:cb:8a:f7:97:f1:
da:55:61:bb:a1:44:f6:70:10:af:d0:db:db:e8:41:23:80:26:
8b:a0:93:67:07:09:5c:95:d4:75:31:89:99:04 |
add-client-server-image
Signed-off-by: Dan Lorenc dlorenc@google.com