-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: add TSA support when verifying authorities #468
Conversation
Codecov Report
@@ Coverage Diff @@
## main #468 +/- ##
==========================================
- Coverage 55.66% 54.73% -0.93%
==========================================
Files 38 38
Lines 3992 4129 +137
==========================================
+ Hits 2222 2260 +38
- Misses 1598 1688 +90
- Partials 172 181 +9
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
1b396a1
to
3cbfc71
Compare
name: my-sigstore-keys | ||
spec: | ||
sigstoreKeys: | ||
timestampAuthorities: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The TrustRoot "my-sigstore-keys" is invalid: spec.sigstoreKeys.certificateAuthorities: Invalid value: "null": spec.sigstoreKeys.certificateAuthorities in body must be of type array: "null"
Error: Process completed with exit code 1.
Don't we still need the signing CA added? It's currently listed as 'required', so if this is a bad assumption we need to relax it in the trustroot API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still working on this ... thanks for looking at it. I am adding a WIP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll complete the tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh no worries, was just thinking through my assumptions on how things work :) My thinking has been that there always has to be a CA, but maybe that's wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we still need the signing CA added? It's currently listed as 'required', so if this is a bad assumption we need to relax it in the trustroot API.
You can sign using the TSA as verification and a raw key without anything else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should relax the validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
3cbfc71
to
9f7e7b8
Compare
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
363bed2
to
3074163
Compare
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
cb72c04
to
f39b4e6
Compare
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
f39b4e6
to
b3bf7db
Compare
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
with: | ||
mirror: mirror.gcr.io | ||
|
||
- uses: hectorj2f/cosign-installer@c5ac9ce01eb4b0048c02123cb3721624c8f4dc55 # v2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am waiting for a decision so we can install cosign v2 and RC versions via sigstore/cosign-installer#105
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created #478 to track this change.
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
03147c8
to
7b585e6
Compare
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
7b585e6
to
b5766e5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you open tracking issues for updating the installer/tsa/cosign deps once they are released with the changes we need?
@mattmoor Yes, I'll create one issue. I am working myself on the change too sigstore/cosign-installer#105. |
Signed-off-by: Hector Fernandez hector@chainguard.dev
Summary
We are adding support to verify images using timestamp authorities. To test it, we use scaffolding and a working branch to install cosign v2.0.0-rc so we can use TSA verifications (sigstore/cosign-installer#105).
Release Note
Add support to verify images using timeStamp authorities.
Documentation