Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability for verify-blob to find signing cert in transparency log #991

Merged
merged 1 commit into from
Nov 3, 2021
Merged

Add ability for verify-blob to find signing cert in transparency log #991

merged 1 commit into from
Nov 3, 2021

Conversation

DennisDenuto
Copy link
Contributor

@DennisDenuto DennisDenuto commented Nov 2, 2021
edited
Loading

Summary

When a user has opted into keyless mode, and they have signed a blob, allow a user to verify a blob without having to specify a certificate.

questions / concerns:

  • Currently, the first certificate found in the tlog (for the blob) is used when verifying. However, this might not be the correct cert to use when verifying. I'm not sure what the best ux around this should be. Perhaps a new flag should be introduced to help narrow down which cert is used to verify the blob. (Allow the user to specify a subject / email address?) or perhaps cosign should loop through all the certificates it finds and attempt to verify the blob + sig against each one (this has performance implications)
  • where is a good place to add tests?

Ticket Link

Aims to improve #676 (comment)

Release Notes

When a user has opted into keyless mode, and they have signed a blob, allow a user to verify a blob without having to specify a certificate.

@DennisDenuto
Add ability for verify-blob to find signing cert in transparency log
4318aee 
- Uses the first tlog entry it finds
- Verifies provided cert / public key. If one isn't provided by the
user, it will find it in the tlog (if experimental feature flag is
enabled)

Authored-by: Dennis Leon <leonde@vmware.com>
Signed-off-by: Dennis Leon <leonde@vmware.com>
@DennisDenuto DennisDenuto marked this pull request as ready for review November 2, 2021 23:23
@naveensrinivasan
Copy link
Contributor

Summary

When a user has opted into keyless mode, and they have signed a blob, allow a user to verify a blob without having to specify a certificate.

questions / concerns:

  • Currently, the first certificate found in the tlog (for the blob) is used when verifying. However, this might not be the correct cert to use when verifying. I'm not sure what the best ux around this should be. Perhaps a new flag should be introduced to help narrow down which cert is used to verify the blob. (Allow the user to specify a subject / email address?) or perhaps cosign should loop through all the certificates it finds and attempt to verify the blob + sig against each one (this has performance implications)
  • where is a good place to add tests?

Ticket Link

Aims to improve #676 (comment)

Release Notes

When a user has opted into keyless mode, and they have signed a blob, allow a user to verify a blob without having to specify a certificate.

We were looking for the same. Thanks

@dlorenc
Copy link
Member

dlorenc commented Nov 3, 2021

This is awesome! Thanks so much!

@dlorenc dlorenc merged commit 5deaca0 into sigstore:main Nov 3, 2021
@github-actions github-actions bot added this to the v1.3.0 milestone Nov 3, 2021
@naveensrinivasan
Copy link
Contributor

@DennisDenuto The cosign still looks for a cert Error: verifying blob [go.mod]: exactly one of: key reference (--key), certificate (--cert) or hardware token (--sk) must be provided. I pulled down the head and tried to verify this.

@DennisDenuto
Copy link
Contributor Author

@naveensrinivasan hmm did you set the experimental flag on? i.e COSIGN_EXPERIMENTAL=1

@cpanato cpanato modified the milestones: v1.3.0, v1.4.0 Nov 7, 2021
@dlorenc dlorenc mentioned this pull request Nov 10, 2021
Closed
This was referenced Nov 10, 2021
Closed
Closed
Open
@cpanato cpanato modified the milestones: v1.4.0, v1.3.1 Nov 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.3.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@DennisDenuto @naveensrinivasan @dlorenc @cpanato