New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "Source Repository Visibility At Signing" ext #1279
Add "Source Repository Visibility At Signing" ext #1279
Conversation
b93b15a
to
c99f574
Compare
Adding a new Fulcio cert extension: "Source Repository Visibility At Signing" Includes the source visibility at the time of signing/creating the certificate for GitHub Actions (backed by the `repository_visibility` clam in the GHA ID token). The plan is for GitLab to add a backing ID token claim to support this extension in the next few weeks. TL'DR - Attesting to source visibility in the certificate means we can verify wether a provenance attestation came from a public/private source repository without performing a network request to the source repository at the time of signing - If you want to verify source visibility some time after signing you will need to make a unauthenticated network request to the source repository uri - npm will start to verify this extension value (if it's set) at the time of publish and rejecting any public packages with provenance that come from a private source repository - npm will also perform a just-in-time reachability checks to the source repository/commit when viewing a package on npmjs.com - "Source Repository Visibility At Signing" extension will be optional in Fulcio to allow CI systems to omit it if they don't have access to this info See full discussion here: sigstore#1263 Signed-off-by: Philip Harrison <philip@mailharrison.com>
c99f574
to
6237781
Compare
Codecov Report
@@ Coverage Diff @@
## main #1279 +/- ##
==========================================
+ Coverage 58.29% 58.40% +0.10%
==========================================
Files 50 50
Lines 3031 3053 +22
==========================================
+ Hits 1767 1783 +16
- Misses 1108 1112 +4
- Partials 156 158 +2
|
}, | ||
WantErr: false, | ||
}, | ||
`Token missing project_visibility is ok`: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marshall007 want to check my thinking here, I'm currently only setting this extension for GitLab if the claim exists, and once the gitlab MR lands we can change this to fail, does this make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! LGTM once the tests are passing
Signed-off-by: Philip Harrison <philip@mailharrison.com>
83bbd47
to
1072133
Compare
### 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing | ||
|
||
Source repository visibility at the time of signing the certificate. MAY be empty if there is no Source Repository Visibility information available. For example: `private` or `public`. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@feelepxyz can we clarify what we mean by "repository" in this context? GitLab uses the term "project" to refer to the namespace that encapsulates a git repository (and other features). We support visibility/permission toggles on a per-feature basis, so it is possible for a project to be public while the repository feature itself is private/disabled.
What if Run Invocation URI
is not publicly accessible, for example? Can Source Repository Visibility At Signing
be public
despite Build Config URI
pointing to a private project?
Should the intent be for this extension to broadly describe the visibility of all relevant features?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@haydentherapper sorry for the late feedback. I was typing out as you merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, I'll wait for @feelepxyz in case there's any code changes that need to be made, but I think this should just be docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is possible for a project to be public while the repository feature itself is private/disabled.
@marshall007 ah right, in this case would it mean that the Source Repository URI
would not be reachable without authentication?
Should the intent be for this extension to broadly describe the visibility of all relevant features?
I would imagine the extension would broadly describe the publicly accessible source URIs, wether that is the run invocation uri or source repository uri.
Is project_visibility
a good proxy for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would imagine the extension would broadly describe the publicly accessible source URIs, wether that is the run invocation uri or source repository uri.
@feelepxyz yes, I agree and I think project_visibility
is sufficient in signalling the intent.
@feelepxyz @marshall007 This is now in staging (or will be in a few minutes), please take a look. |
@haydentherapper @marshall007 tested this on github and gitlab against staging fulcio ✅ As expected we get the new cert extension for github (also tested a private repo and works as expected): For GitLab it's unset (as expected because the |
Will be in prod in about 5 minutes. |
Summary
Adding a new Fulcio cert extension: "Source Repository Visibility At Signing"
Includes the source visibility at the time of signing/creating the certificate for GitHub Actions (backed by the
repository_visibility
clam in the GHA ID token) and GitLab (backed by the upcomingproject_visibility
claim).TL'DR
See full discussion here / closes:
#1263
Release Note
Add certificate extension
1.3.6.1.4.1.57264.1.22
for "Source Repository Visibility At Signing"