Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/sign: Add -cert flag #451

Merged
merged 2 commits into from
Jul 19, 2021
Merged

cmd/sign: Add -cert flag #451

merged 2 commits into from
Jul 19, 2021

Conversation

jalseth
Copy link
Contributor

@jalseth jalseth commented Jul 18, 2021

The -cert flag allows for the certificate to be included in the
Signature object when signing with -key or -sk. Adding this
certificate ensures that a verifying party does not need to fetch the
certificate from some unknown location before being able to validate the
identity of the actor that created the signature.

This also includes a refactor of the pivkey library to make it more idiomatic and to resolve an issue where calling NewPublicKeyProvider or NewSignerVerifier would lock the PIV token until the program had exited, making future calls to the PIV token outside of the signer/verifier flow impossible.

@jalseth jalseth mentioned this pull request Jul 18, 2021
Closed
@jalseth
pivkey: Refactor
7e0ec72 
This refactor abstracts away the need to directly call the upstream
piv-go library, implements a common SignerVerifier interface so there
is no need to maintain separate types for ECDSA and RSA private keys,
and overall is more idiomatic. Additionally, it fixes an issue where the
previous initialization functions would lock access to the PIV token,
preventing subsequent access even if the originall caller no longer had
a need to access the token.

Signed-off-by: James Alseth <james@jalseth.me>
@jalseth
cmd/sign: Add -cert flag
c2e6831 
The `-cert` flag allows for the certificate to be included in the
Signature object when signing with `-key` or `-sk`. Adding this
certificate ensures that a verifying party does not need to fetch the
certificate from some unknown location before being able to validate the
identity of the actor that created the signature.

Signed-off-by: James Alseth <james@jalseth.me>
@cpanato cpanato added this to the v1.0.0 milestone Jul 19, 2021
dlorenc
dlorenc approved these changes Jul 19, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Ran tests again locally.

@dlorenc dlorenc merged commit 9adaad5 into sigstore:main Jul 19, 2021
@jalseth jalseth deleted the add-cert-flag branch July 19, 2021 15:45
@renovate renovate bot mentioned this pull request Jul 28, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jalseth @dlorenc @cpanato