Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Fulcio support to signing #158

Merged
merged 9 commits into from
May 13, 2024
Merged

Add Fulcio support to signing #158

merged 9 commits into from
May 13, 2024

Conversation

steiza
Copy link
Member

@steiza steiza commented May 1, 2024

Summary

Continuing to work towards #136 with small / incremental diffs.

This involved a bit of a refactor to support MessageSignature and DSSE bundle content.

Also, we should probably start adding signing tests soon.

Release Note

NONE - still no Rekor support or testing via conformance tests or integration tests with mocks

Documentation

NONE

@steiza
Add Fulcio support to signing
171eb77 
This involved a bit of a refactor to support MessageSignature and DSSE
bundle content.

Also, we should probably start adding tests soon.

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza requested a review from a team May 1, 2024 21:20
kommendorkapten
kommendorkapten reviewed May 2, 2024
View reviewed changes
pkg/sign/content.go Outdated Show resolved Hide resolved
@steiza
Rename Content Prepare to PreAuthEncoding
f62bb30 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Copy link
Member Author

steiza commented May 2, 2024

This PR is kind of large, and it's likely it'll grow with some more testing. If it would help reviewing, I could separate out the Fulcio addition and the bundle content supporting Message Signature and DSSE Envelope - let me know.

haydentherapper
haydentherapper requested changes May 2, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with the size and content of the PR! Was easy to read through and I think tests will be straightforward.

The main comment to discuss is the one about Sign being responsible for both certificate requesting and artifact signing, lemme know your thoughts. I don't think it's a significant change from this PR, mostly about providing an interface to request certificates as an optional step of signing.

examples/signing/main.go Outdated Show resolved Hide resolved
examples/signing/main.go Outdated Show resolved Hide resolved
pkg/sign/content.go Outdated Show resolved Hide resolved
pkg/sign/content.go Outdated Show resolved Hide resolved
pkg/sign/timestamping.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
steiza added 2 commits May 6, 2024 09:50
@steiza
Support Fulcio signing with supplied key.
f2d7e69 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
More cleanly delineate between Content and Keypair
5c01baa 
`Content` now clearly owns generating and remembering the hash digest.

`Keypair` communicates the hash algorithm to `Content`, and generates
the signature.

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza mentioned this pull request May 6, 2024
Closed
steiza added 2 commits May 6, 2024 15:29
@steiza
Use sigstore/sigstore cryptoutils.MarshalPublicKeyToPEM
de0abd6 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Fix proof of possesion signature
d63db0f 
Signed-off-by: Zach Steindler <steiza@github.com>
haydentherapper
haydentherapper reviewed May 10, 2024
View reviewed changes
pkg/sign/keys.go Outdated Show resolved Hide resolved
pkg/sign/keys.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
@steiza
Move bundle logic out to be all in one place
862937e 
Signed-off-by: Zach Steindler <steiza@github.com>
haydentherapper
haydentherapper reviewed May 10, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for the changes, this looks great. I have some thoughts on the top level sign.Bundle method, but I think it'll naturally evolve as we continue adding features. Just a couple last comments.

pkg/sign/certificate.go Show resolved Hide resolved
pkg/sign/certificate.go Show resolved Hide resolved
pkg/sign/signer.go Show resolved Hide resolved
@steiza
Add clarifying comments
2410557 
Signed-off-by: Zach Steindler <steiza@github.com>
haydentherapper
haydentherapper previously approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for all the discussion here! @kommendorkapten any other thoughts?

kommendorkapten
kommendorkapten reviewed May 13, 2024
View reviewed changes
pkg/sign/keys.go Outdated Show resolved Hide resolved
kommendorkapten
kommendorkapten reviewed May 13, 2024
View reviewed changes
pkg/sign/signer.go Outdated Show resolved Hide resolved
@kommendorkapten
Copy link
Member

I think this looks good for an incremental PR! I have two comments I would like to see answered before merging.

@steiza
Simplify EphemeralKeypair options and require explicit keypair for si…
29150cb 
…gning

Signed-off-by: Zach Steindler <steiza@github.com>
@kommendorkapten
Copy link
Member

Nice work @steiza !

@steiza steiza merged commit 4602a35 into main May 13, 2024
11 checks passed
@steiza steiza deleted the signing branch May 13, 2024 15:14
@steiza steiza mentioned this pull request May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@steiza @kommendorkapten @haydentherapper