Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking change: Change SCT verification behavior to default to enforcement #2400

Merged
merged 2 commits into from
Nov 7, 2022
Merged

Breaking change: Change SCT verification behavior to default to enforcement #2400

merged 2 commits into from
Nov 7, 2022

Conversation

haydentherapper
Copy link
Contributor

@haydentherapper haydentherapper commented Nov 2, 2022
edited
Loading

The public good CA always returns an embedded SCT. If you want to skip the check,
you now must provide a flag to do so. Before, you had to provide a flag
to enforce the check.

Fixes #2382

Summary

Release Note

Changed SCT verification to enforce that the Fulcio certificate has been logged

Documentation

haydentherapper
haydentherapper commented Nov 2, 2022
View reviewed changes
pkg/cosign/verify_sct_test.go
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

// TODO: Move back into verify_test.go once the test cert has been regenerated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI - This was because the test cert is signed with a SHA1 digest algorithm, and golang throws an error in testing. To override, you need to set GODEBUG, but this can't be set in the test itself. I've tried various things, but the easiest was to simply move this test to its own file with a build tag - Note that this is still tested in GHA tests.

@codecov-commenter
Copy link

codecov-commenter commented Nov 2, 2022
edited
Loading

Codecov Report

Merging #2400 (1cb8bfd) into main (1c15b03) will decrease coverage by 0.07%.
The diff coverage is 20.00%.

@@            Coverage Diff             @@
##             main    #2400      +/-   ##
==========================================
- Coverage   30.13%   30.06%   -0.08%     
==========================================
  Files         136      136              
  Lines        8441     8481      +40     
==========================================
+ Hits         2544     2550       +6     
- Misses       5568     5597      +29     
- Partials      329      334       +5
Impacted Files Coverage Δ
cmd/cosign/cli/dockerfile.go 0.00% <0.00%> (ø)
cmd/cosign/cli/manifest.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/certificate.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go 18.53% <0.00%> (-0.40%) ⬇️
cmd/cosign/cli/verify/verify_attestation.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go 45.86% <25.00%> (-0.55%) ⬇️
pkg/cosign/verify.go 34.11% <41.66%> (-0.02%) ⬇️
cmd/cosign/cli/sign/sign.go 15.84% <0.00%> (+0.12%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@haydentherapper
Change SCT verification behavior to default to enforcement
19a5a9d 
The public good CA always returns an embedded SCT. If you want to skip the check,
you now must provide a flag to do so. Before, you had to provide a flag
to enforce the check.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Read detached SCT from flag
d66805d 
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

Resolved merge conflict

@haydentherapper
Copy link
Contributor Author

Bump!

priyawadhwa
priyawadhwa approved these changes Nov 7, 2022
View reviewed changes
Copy link
Contributor

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

@dlorenc dlorenc merged commit 1c04ce6 into sigstore:main Nov 7, 2022
@github-actions github-actions bot added this to the v1.14.0 milestone Nov 7, 2022
@haydentherapper haydentherapper deleted the enforce-sct branch November 7, 2022 20:24
@asraa
Copy link
Contributor

asraa commented Nov 8, 2022

@haydentherapper I think this might be breaking tests at head: I think the leaf cert generation doesn't attach an SCT. I have no idea how tests passed though!

--- FAIL: TestValidateAndUnpackCertSuccessWithOtherNameSan (0.00s)
    verify_test.go:658: ValidateAndUnpackCert expected no error, got err = certificate does not include required embedded SCT and no detached SCT was set

@cpanato cpanato mentioned this pull request Nov 14, 2022
Merged
@haydentherapper haydentherapper mentioned this pull request Mar 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@priyawadhwa priyawadhwa priyawadhwa approved these changes

@asraa asraa Awaiting requested review from asraa

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.14.0
Development

Successfully merging this pull request may close these issues.

Require embedded SCT on verification by default
5 participants
@haydentherapper @codecov-commenter @asraa @priyawadhwa @dlorenc