Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DNM] Open for testing #216

Closed
wants to merge 1 commit into from
Closed

[DNM] Open for testing #216

wants to merge 1 commit into from

Conversation

mattmoor
Copy link
Member

Builds on #215.

I'm using this to test KinD on GHA.

@mattmoor mattmoor force-pushed the keyless-verification branch 8 times, most recently from 009f05d to 10661c1 Compare October 27, 2021 04:17
@mattmoor
Copy link
Member Author

Ok, I think that aside from using SoftHSM, this is very nearly ready. I've gotten past a few wrinkles around validating the OIDC token, so we're past that, and it's not clearly failing trying to interact with the googleca:

2021-10-27T04:20:24.651422404Z stderr F {"severity":"info","ts":1635308424.6512873,"caller":"api/googleca_signing_cert.go:50","message":"requesting cert from -----BEGIN CERTIFICATE-----\nMIICyjCCAlCgAwIBAgITEfJ495apY+Xh6mwKJSeVKElaSjAKBggqhkjOPQQDAzAq\nMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx\nMDMwNzE0NDU1N1oXDTIxMDMwNzE1MDU1MFowOjEbMBkGA1UECgwSbG9yZW5jLmRA\nZ21haWwuY29tMRswGQYDVQQDDBJsb3JlbmMuZEBnbWFpbC5jb20wdjAQBgcqhkjO\nPQIBBgUrgQQAIgNiAARGGPRUeASYE7ilcb59Lplt1HS21EktIc3WyUc3rVd17BZ+\nOzVKUKlATQ8FZQ1Bcs5KFEQY+gDbSH/jmyA6LqNN1heIBh6vw9AoLQj/uMaocIAs\nMkR2gWntT9zf2g8ysGWjggEmMIIBIjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww\nCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUH4c4aC1y99X3F+Oa\nyiwx13lnwjgwHwYDVR0jBBgwFoAUyMUdAEGaJCkyUSTrDa5K7UoG0+wwgY0GCCsG\nAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6Ly9wcml2YXRlY2EtY29udGVu\ndC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1ZTgwZDI5NTQuc3RvcmFnZS5n\nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZjYjE0Ni9jYS5jcnQwHQYDVR0R\nBBYwFIESbG9yZW5jLmRAZ21haWwuY29tMAoGCCqGSM49BAMDA2gAMGUCMQCsr95C\nBNieKlQUj41RB9p4IB2c+8XbMK69jXm6IHZRca65nOP4nMwFUqlE1W/OnlACMAht\nLTUlNndCw2IbG027fRqpElrc/IoIDBUa6aW7E1IL6gcnRk3MK38lkAg/jYaucw==\n-----END CERTIFICATE-----\n for 0xd2d8c0","requestID":"fulcio-server-79cf849bc8-4hj6t/i3PzGbVSxN-000001"}
2021-10-27T04:20:24.655133513Z stderr F {"severity":"info","ts":1635308424.6549308,"caller":"restapi/configure_fulcio_server.go:162","message":"[fulcio-server-79cf849bc8-4hj6t/i3PzGbVSxN-000001] \"POST http://fulcio-server.fulcio-dev.svc/api/v1/signingCert HTTP/1.1\" from 10.244.1.8:59320 - 000 0B in 18.090742ms"}
2021-10-27T04:20:24.655487114Z stderr F 
2021-10-27T04:20:24.655507214Z stderr F  panic: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
2021-10-27T04:20:24.655512614Z stderr F  
2021-10-27T04:20:24.655516114Z stderr F  -> github.com/sigstore/fulcio/pkg/ca/googleca.Client.func1
2021-10-27T04:20:24.655519114Z stderr F  ->   github.com/sigstore/fulcio/pkg/ca/googleca/googleca.go:43
2021-10-27T04:20:24.655522014Z stderr F 
2021-10-27T04:20:24.655525814Z stderr F     sync.(*Once).doSlow
2021-10-27T04:20:24.655528714Z stderr F       sync/once.go:68
2021-10-27T04:20:24.655531714Z stderr F     sync.(*Once).Do
2021-10-27T04:20:24.655534614Z stderr F       sync/once.go:59
2021-10-27T04:20:24.655537514Z stderr F     github.com/sigstore/fulcio/pkg/ca/googleca.Client
2021-10-27T04:20:24.655540614Z stderr F       github.com/sigstore/fulcio/pkg/ca/googleca/googleca.go:39
2021-10-27T04:20:24.655543814Z stderr F     github.com/sigstore/fulcio/pkg/api.GoogleCASigningCertHandler
2021-10-27T04:20:24.655547014Z stderr F       github.com/sigstore/fulcio/pkg/api/googleca_signing_cert.go:52
2021-10-27T04:20:24.655550214Z stderr F     github.com/sigstore/fulcio/pkg/api.SigningCertHandler
2021-10-27T04:20:24.655553114Z stderr F       github.com/sigstore/fulcio/pkg/api/ca.go:63
2021-10-27T04:20:24.655556414Z stderr F     github.com/sigstore/fulcio/pkg/generated/restapi/operations.SigningCertHandlerFunc.Handle
2021-10-27T04:20:24.655559414Z stderr F       github.com/sigstore/fulcio/pkg/generated/restapi/operations/signing_cert.go:37
2021-10-27T04:20:24.655562314Z stderr F     github.com/sigstore/fulcio/pkg/generated/restapi/operations.(*SigningCert).ServeHTTP
2021-10-27T04:20:24.655581614Z stderr F       github.com/sigstore/fulcio/pkg/generated/restapi/operations/signing_cert.go:84
2021-10-27T04:20:24.655584914Z stderr F     github.com/go-openapi/runtime/middleware.NewOperationExecutor.func1
2021-10-27T04:20:24.655587614Z stderr F       github.com/go-openapi/runtime@v0.20.0/middleware/operation.go:28
2021-10-27T04:20:24.655590614Z stderr F     net/http.HandlerFunc.ServeHTTP
2021-10-27T04:20:24.655593914Z stderr F       net/http/server.go:2049
2021-10-27T04:20:24.655596414Z stderr F     github.com/go-openapi/runtime/middleware.NewRouter.func1
2021-10-27T04:20:24.655598914Z stderr F       github.com/go-openapi/runtime@v0.20.0/middleware/router.go:78
2021-10-27T04:20:24.655601614Z stderr F     net/http.HandlerFunc.ServeHTTP
2021-10-27T04:20:24.655604214Z stderr F       net/http/server.go:2049

@mattmoor mattmoor force-pushed the keyless-verification branch 5 times, most recently from 4549159 to 24a98da Compare October 27, 2021 20:30
mattmoor added a commit to mattmoor/cosign that referenced this pull request Oct 27, 2021
@mattmoor
Allow disabling verifySCT.
5dcc677 
This adds a new flag to the Fulcio options to allow disabling `verifySCT` on keyless signing paths.

The option is modeled after `InsecureSkipVerify` in `tls.Config` to convey the severity of disabling this verification, and the flag indicates that this is intended only for testing.

This is related to my work here: sigstore/fulcio#216

Signed-off-by: Matt Moore <mattomata@gmail.com>
@mattmoor mattmoor mentioned this pull request Oct 27, 2021
Merged
@mattmoor
[DNM] Placeholder for KinD keyless e2e test
77aeac3 
Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor added a commit to sigstore/cosign that referenced this pull request Oct 27, 2021
@mattmoor
Allow disabling verifySCT. (#955)
46e2740 
This adds a new flag to the Fulcio options to allow disabling `verifySCT` on keyless signing paths.

The option is modeled after `InsecureSkipVerify` in `tls.Config` to convey the severity of disabling this verification, and the flag indicates that this is intended only for testing.

This is related to my work here: sigstore/fulcio#216

Signed-off-by: Matt Moore <mattomata@gmail.com>
@mattmoor mattmoor closed this Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mattmoor