Add "Source Repository Visibility At Signing" ext #1279
Conversation
feelepxyz
force-pushed
the
feelepxyz/source-visibility
branch
from
b93b15a
to
c99f574
Compare
Adding a new Fulcio cert extension: "Source Repository Visibility At Signing"
Includes the source visibility at the time of signing/creating the
certificate for GitHub Actions (backed by the `repository_visibility`
clam in the GHA ID token). The plan is for GitLab to add a backing ID
token claim to support this extension in the next few weeks.
TL'DR
- Attesting to source visibility in the certificate means we can verify
wether a provenance attestation came from a public/private source
repository without performing a network request to the source
repository at the time of signing
- If you want to verify source visibility some time after signing you
will need to make a unauthenticated network request to the source
repository uri
- npm will start to verify this extension value (if it's set) at the
time of publish and rejecting any public packages with provenance that
come from a private source repository
- npm will also perform a just-in-time reachability checks to the
source repository/commit when viewing a package on npmjs.com
- "Source Repository Visibility At Signing" extension will be optional in
Fulcio to allow CI systems to omit it if they don't have access to this
info
See full discussion here:
sigstore#1263
Signed-off-by: Philip Harrison <philip@mailharrison.com>
feelepxyz
force-pushed
the
feelepxyz/source-visibility
branch
from
c99f574
to
6237781
Compare
Codecov Report
@@ Coverage Diff @@
## main #1279 +/- ##
==========================================
+ Coverage 58.29% 58.40% +0.10%
==========================================
Files 50 50
Lines 3031 3053 +22
==========================================
+ Hits 1767 1783 +16
- Misses 1108 1112 +4
- Partials 156 158 +2
|
| }, | ||
| WantErr: false, | ||
| }, | ||
| `Token missing project_visibility is ok`: { |
There was a problem hiding this comment.
@marshall007 want to check my thinking here, I'm currently only setting this extension for GitLab if the claim exists, and once the gitlab MR lands we can change this to fail, does this make sense?
Signed-off-by: Philip Harrison <philip@mailharrison.com>
feelepxyz
force-pushed
the
feelepxyz/source-visibility
branch
from
83bbd47
to
1072133
Compare
| ### 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing | ||
|
|
||
| Source repository visibility at the time of signing the certificate. MAY be empty if there is no Source Repository Visibility information available. For example: `private` or `public`. | ||
|
|
There was a problem hiding this comment.
@feelepxyz can we clarify what we mean by "repository" in this context? GitLab uses the term "project" to refer to the namespace that encapsulates a git repository (and other features). We support visibility/permission toggles on a per-feature basis, so it is possible for a project to be public while the repository feature itself is private/disabled.
What if Run Invocation URI is not publicly accessible, for example? Can Source Repository Visibility At Signing be public despite Build Config URI pointing to a private project?
Should the intent be for this extension to broadly describe the visibility of all relevant features?
There was a problem hiding this comment.
@haydentherapper sorry for the late feedback. I was typing out as you merged.
There was a problem hiding this comment.
No worries, I'll wait for @feelepxyz in case there's any code changes that need to be made, but I think this should just be docs.
There was a problem hiding this comment.
it is possible for a project to be public while the repository feature itself is private/disabled.
@marshall007 ah right, in this case would it mean that the Source Repository URI would not be reachable without authentication?
Should the intent be for this extension to broadly describe the visibility of all relevant features?
I would imagine the extension would broadly describe the publicly accessible source URIs, wether that is the run invocation uri or source repository uri.
Is project_visibility a good proxy for this?
There was a problem hiding this comment.
I would imagine the extension would broadly describe the publicly accessible source URIs, wether that is the run invocation uri or source repository uri.
@feelepxyz yes, I agree and I think project_visibility is sufficient in signalling the intent.
|
@feelepxyz @marshall007 This is now in staging (or will be in a few minutes), please take a look. |
|
@haydentherapper @marshall007 tested this on github and gitlab against staging fulcio ✅ As expected we get the new cert extension for github (also tested a private repo and works as expected): For GitLab it's unset (as expected because the |
|
Will be in prod in about 5 minutes. |
Summary
Adding a new Fulcio cert extension: "Source Repository Visibility At Signing"
Includes the source visibility at the time of signing/creating the certificate for GitHub Actions (backed by the
repository_visibilityclam in the GHA ID token) and GitLab (backed by the upcomingproject_visibilityclaim).TL'DR
See full discussion here / closes:
#1263
Release Note
Add certificate extension
1.3.6.1.4.1.57264.1.22for "Source Repository Visibility At Signing"