Upload entire certificate PEMs to rekor.

[dlorenc]

Signed-off-by: Dan Lorenc dlorenc@google.com

[dlorenc]

This replaces #95

[ahmetb]

Trying to understand the point behind this. I assume this way, we can (1) audit that a certificate signed by fulcio roots exited at one point and (2) parse the certificate to find out CN (the signing party) from the TLog?

[dlorenc]

Trying to understand the point behind this. I assume this way, we can (1) audit that a certificate signed by fulcio roots exited at one point and (2) parse the certificate to find out CN (the signing party) from the TLog?

Hey,

Great question. we first chatted about this here I think: sigstore/rekor#215

The idea is that we can do a "join" between the two transaction logs if we have the full certificate. We'd like to know that the key in Rekor is from a certificate in the transparency log, if we store the entire certificate then we can easily do that lookup.

[dlorenc]

Here's what this looks like:

$ ./cosign sign ghcr.io/dlorenc/signed-container
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=UYaH7536FsxE0ua_k-O68q7MvhBLpfsVZ-m_C6Pvo-U&code_challenge_method=S256&nonce=1qLW9dq5UMA4ZteVRPKFTEdnkoB&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=1qLW9jJvvUPmcTVLwGW1ArV45HJ
Pushing signature to: ghcr.io/dlorenc/signed-container:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.cosign
tlog entry created with index:  2243

$ step certificate inspect <(rekor-cli get --log-index=2243 --format=json | jq -r .Body.RekordObj.signature.publicKey.content | base64 -D)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4712192806030886202998146511552931340840872625 (0xd34d520f06198966a3672b58f2aa4a49dc2ab1)
    Signature Algorithm: ECDSA-SHA384
        Issuer: O=sigstore.dev,CN=sigstore
        Validity
            Not Before: Mar 27 15:33:22 2021 UTC
            Not After : Mar 27 15:53:15 2021 UTC
        Subject: O=lorenc.d@gmail.com,CN=lorenc.d@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    c2:e4:c9:e5:2b:86:4e:66:66:10:35:bc:9a:6d:26:
                    1a:8d:b8:15:32:d4:93:31:2d:55:52:cb:93:50:d3:
                    2b:14
                Y:
                    70:07:8f:7c:63:56:2f:aa:d6:62:46:65:70:e6:99:
                    99:52:b4:e7:33:81:61:5a:fd:95:93:0d:02:0e:25:
                    51:f5
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                14:0A:B7:B8:5E:FC:4F:AC:73:19:76:EA:4E:B5:0F:B9:A9:A1:37:57
            X509v3 Authority Key Identifier:
                keyid:C8:C5:1D:00:41:9A:24:29:32:51:24:EB:0D:AE:4A:ED:4A:06:D3:EC
            Authority Information Access:
                CA Issuers - URI:http://privateca-content-603fe7e7-0000-2227-bf75-f4f5e80d2954.storage.googleapis.com/ca36a1e96242b9fcb146/ca.crt
            X509v3 Subject Alternative Name:
                email:lorenc.d@gmail.com
    Signature Algorithm: ECDSA-SHA384
         30:66:02:31:00:ea:20:f5:c3:5b:9f:22:65:51:42:14:ed:2b:
         56:60:54:5a:03:74:de:c0:90:0d:e2:69:ab:20:5f:65:8e:ef:
         7c:ba:a9:44:d1:06:bd:4c:b5:ca:65:77:30:81:a1:d1:4e:02:
         31:00:d4:14:8d:46:cd:21:11:d5:ae:3d:96:cb:8a:f7:97:f1:
         da:55:61:bb:a1:44:f6:70:10:af:d0:db:db:e8:41:23:80:26:
         8b:a0:93:67:07:09:5c:95:d4:75:31:89:99:04