-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rekor support for cosign #140
Comments
+1 on rekor transparency log verification to be supported as a feature to be added to connaisseur to keep it in equilibrium with cosign capabilities |
Hi, |
technically yes, that flag was non-functional in the past however. We have been doing some preparational work in #540 to better support the features beyond simple signing-verifying and are aiming to add support for other rekor urls soon. However, as far as I can see there may be multiple hosts required and the option to configure the rootCA file: https://docs.sigstore.dev/cosign/openid_signing#custom-infrastructure are you using rekor and fulcio and would need to configure both? |
No Fulcio/OIDC in my current setup but it may be integrated in the future |
ah, never mind. As we only do verification, I'd hope we do not need to integrate with Fulcio/OIDC, as all relevant info is in rekor. To best understand the desired behavior. Say the following is configured for a validator in
In that case, we'd enforce a rekor entry, i.e. a cosign signature that has not been added to rekor will be treated as invalid. We could, in case necessary, at a later point add a switch for that later. |
Yes that would be perfect |
and will that require configuration of the rootCA? https://docs.sigstore.dev/cosign/openid_signing#custom-root-cert |
No, I can deal without
|
`host` key for cosign is added to specify the rekor transparency log url. when host is set, cosign validator additionally requires a transparency log entry to pass validation. technically, `host` key allows configuration of any rekor instance, however cosign appears to always check against the default instance rekor.sigstore.dev fixes #140
@clem844 the above PR should add rekor-support. However, I noticed that cosign does store trust roots in COSIGN_EXPERIMENTAL=1 cosign verify --key cosign.pub --rekor-url rekor.sigstore.dev $IMAGE The trust roots have the following form: /home/xoph/.sigstore
└── root
└── targets
├── artifact.pub
├── ctfe.pub
├── fulcio.crt.pem
├── fulcio_v1.crt.pem
└── rekor.pub From the above I am not sure how cosign would handle multiple different rekor instances. Do you have a private rekor instance to check how that affects trust roots when verifying against |
I did not initialize cosign with my own TUF signed public key of my Rekor instance. It was initialized with public instances.
I will keep looking. If I open a bug on cosign I will reference it here |
`host` key for cosign is added to specify the rekor transparency log url. when host is set, cosign validator additionally requires a transparency log entry to pass validation. technically, `host` key allows configuration of any rekor instance, however cosign appears to always check against the default instance rekor.sigstore.dev fixes #140
`host` key for cosign is added to specify the rekor transparency log url. when host is set, cosign validator additionally requires a transparency log entry to pass validation. technically, `host` key allows configuration of any rekor instance, however cosign appears to always check against the default instance rekor.sigstore.dev fixes #140
issue opened: sigstore/cosign#1816 |
The feature can be tested now. I have built a testbranch from #637 : https://github.com/sse-secure-systems/connaisseur/tree/test-pr637 It is configured such that, you could use our testimages or configure your own using your own or the public rekor instance, via the validator's
> kubectl run rekor --image=docker.io/securesystemsengineering/testimage:rekor-cosigned-tl
pod/rekor created
> kubectl run norekor --image=docker.io/securesystemsengineering/testimage:rekor-cosigned-notl
Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: Failed to find signature in transparency log. Let me know if if works for you and meets your vision for the feature 🙂 |
I tested it with my private Rekor and I get the following error:
This error is the same whether the signature is logged into Rekor or not. |
did it work with the public Rekor instance? Are you sure that there is a connection to the private rekor instance? like can it be curled from within the cluster? |
Yes, I can reach my Rekor instance from the cluster. |
My bad: the SSL error has nothing to do with this. |
That is strange. Because the exact same works for me on two different local setups using |
Ok, I tried again today with my local setup (k3d). It works both with the images you provide and the public Rekor and my own images with a self hosted Rekor.
One suggestion: it would be nice to have the cosign logs in the console. They are currently only in connaisseur's pod |
neat 🙂 |
`host` key for cosign is added to specify the rekor transparency log url. when host is set, cosign validator additionally requires a transparency log entry to pass validation. technically, `host` key allows configuration of any rekor instance, however cosign appears to always check against the default instance rekor.sigstore.dev fixes #140
Describe the feature
With #107, basic Cosign support was added. In the spirit of extending that support and strengthening the signature verification, we could extend this to also support the rekor integration of cosign: https://github.com/sigstore/cosign/tree/v0.2.0#rekor-support
Optional: Implementation ideas
We would probably have to extend the cosign configuration in the
helm/values.yaml
and might reusehost
key. However, integration should not be too hard an issue.The text was updated successfully, but these errors were encountered: