feat: cert-extensions verify #1626
Conversation
c93432d to
fd446ed
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1626 +/- ##
==========================================
+ Coverage 28.69% 28.71% +0.02%
==========================================
Files 133 134 +1
Lines 8092 8207 +115
==========================================
+ Hits 2322 2357 +35
- Misses 5463 5543 +80
Partials 307 307 ☔ View full report in Codecov by Sentry. |
|
PTAL @ckotzbauer |
There was a problem hiding this comment.
Thanks @developer-guy for adopting this logic! I think the code overall looks good and solid. It should not break the logic from Kyverno on the next update as the extensions-parameter is not used there (apart from the new location of some functions)
pkg/cosign/verify.go
Outdated
| } | ||
| } | ||
| return true | ||
| } |
There was a problem hiding this comment.
I'm not sure about this function. Kyverno ignores empty-string values (same as the extension would not be required) and respects shortened values or wildcards. However, it is of course not mandatory that cosign will do the same here. WDYT?
There was a problem hiding this comment.
It is the function that makes the matching between the actual one and the expected one to decide whether claims are equal, I couldn't understand your comment :/
There was a problem hiding this comment.
Yes, correct. What I mean is, that this function checks for strict equality, wildcards and shortened values are not supported.
E.g. cosign verify aquasec/trivy:0.24.3 --cert-extensions githubWorkflowRepository=aquasecurity/* won't work (with or without asterisk). This is how Kyverno would validate: https://github.com/kyverno/kyverno/blob/main/pkg/cosign/cosign.go#L419-L421
There was a problem hiding this comment.
It is not required to make the validation equal to the Kyverno logic, just want to mention the difference 😉
cmd/cosign/cli/options/verify.go
Outdated
| @@ -34,6 +34,7 @@ type VerifyOptions struct { | |||
| Registry RegistryOptions | |||
| SignatureDigest SignatureDigestOptions | |||
| AnnotationOptions | |||
| CertExtensionOptions | |||
There was a problem hiding this comment.
Since this is for verifying certificates, this should be under the existing CertVerifyOptions.
There was a problem hiding this comment.
Bumping this comment, we should group this under CertVerifyOptions so it gets pulled into all of the verify commands automatically
|
|
||
| var ( | ||
| // Fulcio cert-extensions, documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md | ||
| CertExtensionOIDCIssuer = "1.3.6.1.4.1.57264.1.1" |
There was a problem hiding this comment.
This is already covered -
See #1308 where it was added.
There was a problem hiding this comment.
Bumping this comment too - We shouldn't have two ways to verify the issuer
We'll be creating documentation about this to help people to discover these certain extensions about what we are adding to certificates, does it make sense? |
|
I'm wondering if this feature makes sense as flags or if policy should be a part of a file, since this is meant to be repeated for every command, and I'd assume users would want to check in their policy to audit. |
I don't see an issue with flags and a policy file. Both make sense to me. |
I think we should document the canonical strings/field names somewhere, probably near where the OIDs themselves live, then use those here. I agree the variable names themselves are probably not the best ux. |
|
kindly ping @dlorenc |
8f38160 to
3f7c561
Compare
|
|
||
| var ( | ||
| // Fulcio cert-extensions, documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md | ||
| CertExtensionOIDCIssuer = "1.3.6.1.4.1.57264.1.1" |
There was a problem hiding this comment.
Bumping this comment too - We shouldn't have two ways to verify the issuer
cmd/cosign/cli/options/verify.go
Outdated
| @@ -34,6 +34,7 @@ type VerifyOptions struct { | |||
| Registry RegistryOptions | |||
| SignatureDigest SignatureDigestOptions | |||
| AnnotationOptions | |||
| CertExtensionOptions | |||
There was a problem hiding this comment.
Bumping this comment, we should group this under CertVerifyOptions so it gets pulled into all of the verify commands automatically
| @@ -51,11 +51,18 @@ func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map | |||
| return errors.New("missing or incorrect annotation") | |||
| } | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
I'm not sure what the purpose of this function is, but I'd strongly prefer we continue to group certificate verification under this function -
Line 203 in 03e66aa
This goes back to the earlier point too about the existing flag for OIDC issuer.
|
|
||
| // AddFlags implements Interface | ||
| func (o *CertExtensionOptions) AddFlags(cmd *cobra.Command) { | ||
| cmd.Flags().StringSliceVarP(&o.CertExtensions, "cert-extensions", "", nil, |
There was a problem hiding this comment.
I think we discussed this on the comments, but it'd be preferrable to match the existing style of a flag per extension instead of have a map.
See https://github.com/sigstore/cosign/blob/aad7c5fcd6e5f854ae48a57e42919039e6d219c0/cmd/cosign/cli/options/certificate.go for existing flags. We should add flags like certificate-github-ref, etc
3f7c561 to
517c33c
Compare
pkg/cosign/verify.go
Outdated
| @@ -71,8 +71,10 @@ type CheckOpts struct { | |||
|
|
|||
| // Annotations optionally specifies image signature annotations to verify. | |||
| Annotations map[string]interface{} | |||
| // CertExtensions optionally specifies image signature cert extensions to verify. | |||
| CertExtensions map[string]string | |||
There was a problem hiding this comment.
In the same vein, moving away from a map, I think we should have a field per extension - CertGitHubSha, CertGitHubRef, etc - If this is used a library function, it's not as clean of an interface to take a map, because there's no way to know what is a valid string.
0788d39 to
fbb5437
Compare
7225580 to
802f0a2
Compare
There was a problem hiding this comment.
Two high-level comments:
- We need to make sure that the verify* commands do not diverge. This means that if we add a verify flag for
cosign verify, it should work for verify, verify attestation, verify blob, verify manifest, and verify dockerfile. - Most of these changes lack tests. For all of the changes to
pkg, please add tests.
pkg/cosign/verify.go
Outdated
| @@ -90,6 +90,14 @@ type CheckOpts struct { | |||
| CertEmail string | |||
| // CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid. | |||
| CertOidcIssuer string | |||
|
|
|||
| // CertGithubWorkflowTrigger is the GitHub Workflow Trigger name expected for a certificate to be valid. The empty string means any certificate can be valid. | |||
| CertGithubWorkflowTrigger string | |||
There was a problem hiding this comment.
nit: Comments for all
| sigs "github.com/sigstore/cosign/pkg/signature" | ||
| ) | ||
|
|
||
| // CertExtensionOptions is the top level wrapper for the annotations. |
There was a problem hiding this comment.
Looks like this file is not used, delete?
There was a problem hiding this comment.
Agree, thank you good catch.
| @@ -0,0 +1,84 @@ | |||
| // | |||
There was a problem hiding this comment.
We already have tests in the keys_test.go file called TestCertExtensions
There was a problem hiding this comment.
Can we copy over the tests to a new file? Otherwise, it's not clear that these are tested.
| return errors.New("expected oidc issuer not found in certificate") | ||
| } | ||
|
|
||
| if err := validateCertExtensions(ce, co); err != nil { |
There was a problem hiding this comment.
Tests? See
cosign/pkg/cosign/verify_test.go
Line 515 in 802f0a2
GenerateLeafCert in the test utils will need to be updated to support adding all extensions
pkg/signature/certextensions.go
Outdated
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package signature |
There was a problem hiding this comment.
File unused, delete?
There was a problem hiding this comment.
bump, can this be deleted?
There was a problem hiding this comment.
yep, deleted, thank you.
| @@ -48,22 +48,27 @@ import ( | |||
| // nolint | |||
There was a problem hiding this comment.
Also need to update:
- https://github.com/sigstore/cosign/blob/f2c360eb97e52fa7766ecde370f1a48b910d7404/cmd/cosign/cli/dockerfile.go
- https://github.com/sigstore/cosign/blob/f2c360eb97e52fa7766ecde370f1a48b910d7404/cmd/cosign/cli/manifest.go
- https://github.com/sigstore/cosign/blob/03e66aad02cf7c987ea489cdeda1fd580b6b1fc6/cmd/cosign/cli/verify/verify_attestation.go
- https://github.com/sigstore/cosign/blob/03e66aad02cf7c987ea489cdeda1fd580b6b1fc6/cmd/cosign/cli/verify/verify_blob.go
And also update where o.CertVerify.X is added to the command, like line 179 in cmd/cosign/cli/verify.go and in Verify Blob (
cosign/cmd/cosign/cli/verify.go
Line 260 in 03e66aa
There was a problem hiding this comment.
thank you, I missed those parts.
There was a problem hiding this comment.
thanks for updating these!
1f1bbea to
777965f
Compare
218ed2b to
6a25723
Compare
pkg/signature/certextensions.go
Outdated
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package signature |
There was a problem hiding this comment.
bump, can this be deleted?
| @@ -48,22 +48,27 @@ import ( | |||
| // nolint | |||
There was a problem hiding this comment.
thanks for updating these!
| @@ -0,0 +1,84 @@ | |||
| // | |||
There was a problem hiding this comment.
Can we copy over the tests to a new file? Otherwise, it's not clear that these are tested.
| @@ -131,7 +132,12 @@ func GenerateLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Ce | |||
| Id: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}, | |||
| Critical: false, | |||
| Value: []byte(oidcIssuer), | |||
| }}, | |||
| }, | |||
There was a problem hiding this comment.
nit: To avoid having to update all places where GenerateLeafCert is called, can we create a new function like GenerateLeafCertWithGitHubOIDs or something?
There was a problem hiding this comment.
that makes a lot of sense, thank you, updated.
6a25723 to
e4b9e30
Compare
e4b9e30 to
3b6e20a
Compare
| Annotations: annotations, | ||
| HashAlgorithm: hashAlgorithm, | ||
| SignatureRef: o.SignatureRef, | ||
| LocalImage: o.LocalImage, |
There was a problem hiding this comment.
Also need to update VerifyAttestation with the new verify options, on line 185
There was a problem hiding this comment.
good catch @haydentherapper as always
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Christian Kotzbauer <@ckotzbauer1> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
3b6e20a to
3c5a6f3
Compare
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Christian Kotzbauer <@ckotzbauer1>
Summary
This PR will add support for verifying additional claims within the signature cert.
Ticket Link
Fixes #1625 and #1989
Release Note
cc: @ckotzbauer1