Add support for Github OIDC #180
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds support for handing Github's OIDC tokens in addition to Google and SPIFFE.
Github OIDC tokens look something like:
```json
{
"jti": "0687e989-80d6-42b0-a498-c65e99315f37",
"sub": "repo:mattmoor/stupid-example:ref:refs/heads/main",
"aud": "sigstore",
"ref_protected": "false",
"job_workflow_ref": "mattmoor/stupid-example/.github/workflows/my-action.yaml@refs/heads/main",
"iss": "https://vstoken.actions.githubusercontent.com",
"nbf": 1631210221,
"exp": 1631211121,
"iat": 1631210821
}
```
This change verifies things against the `iss` endpoint, and encodes the
`job_workflow_ref` into the x509 cert as a URI by prefixing it as:
```
https://github.com/{job_workflow_ref}
```
I verified this works with a local Fulcio setup and some identity tokens I
exfiltrated from actions for the test. The major caveat was that I had
to tweak more than I'd have liked to for my test because things currently
use the v1beta1 API, and I had to rejigger things to use v1 for my local
test.
I chatted a bunch with `@dlorenc` about v1 migration, and the major concern
is the backwards compatibility with the current Fulcio cert, so these
changes have those pieces backed out.
Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
force-pushed
the
support-github-actions-oidc
branch
from
161467a
to
3f632b7
Compare
Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
force-pushed
the
support-github-actions-oidc
branch
from
061c5c9
to
27f9833
Compare
dlorenc
approved these changes
Sep 11, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for handing Github's OIDC tokens in addition to Google and SPIFFE.
Github OIDC tokens look something like:
{ "jti": "0687e989-80d6-42b0-a498-c65e99315f37", "sub": "repo:mattmoor/stupid-example:ref:refs/heads/main", "aud": "sigstore", "ref_protected": "false", "job_workflow_ref": "mattmoor/stupid-example/.github/workflows/my-action.yaml@refs/heads/main", "iss": "https://vstoken.actions.githubusercontent.com", "nbf": 1631210221, "exp": 1631211121, "iat": 1631210821 }This change verifies things against the
issendpoint, and encodes thejob_workflow_refinto the x509 cert as a URI by prefixing it as:With the example:
I verified this works** with a local Fulcio setup and some identity tokens I
exfiltrated from actions for the test.
** - The major caveat was that I had to tweak more than I'd have liked to for
my test because things currently use the v1beta1 API, and I had to rejigger
things to use v1 for my local test. I chatted a bunch with
@dlorencaboutv1 migration, and the major concern is the backwards compatibility with
the current Fulcio cert, so these changes have those pieces backed out.
/assign @dlorenc