-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify certificate against job_workflow_ref string #1313
Comments
TBH I think unifying the email/uri field like
Can I add this flag? It would do the same as |
+1 to a single flag, @dekkagaijin You were on the original ticket for this feature, and you had noted you wanted to think through the UX for a subject flag. Did you have any thoughts about this? |
We're currently in the process of thinking through what the policy API should look like, with this being a core concern. The industry standard method of kicking the can down the road is to have users specify such assertions in a language like CUE, but the UX is understandably awful and I do think that we have a mandate to offer users something better than a prickly footgun. IMHO, for In this specific case, I'd be OK with deprecating Currently, "trusted actor" just means a user ID (i.e. email), but the next major step will be to tie that user ID to a trusted identity provider. ... all that being said, I'm not going to deny that there are valid use cases like the one that Asra brings up. All that I'd like to see is that we have a UX-first approach to such design questions, only surfacing such implementation details as a last resort. |
I like cert-subject but might be missing something. What's the concern with that @dekkagaijin ? |
My concern is that what constitutes a valid x509 cert |
For users that want simple identity pinning, a combination of a subject flag plus an OIDC issuer flag (which I'm adding on #1308) seems sufficient. I agree that it's not very robust, but for simple use cases like where you trust just one identity issuer+subject, this seems like an easy approach. We'll just need to document that For more complex cases like trusting multiple subjects, trusting all SPIFFE workloads in a trust domain, etc, then policy would be what we should recommend for users. Maybe let's avoid adding regex support to |
This is what I was imagining too. One concern might be that we have different ways expressing subjects, some of which expose multiple x509 extensions (mostly GitHub). In the case I can start to see the concern with trying to squeeze it all into one flag. The next obvious approach is something like |
I was thinking |
I was thinking something like that, too, if only to constrain the test to one of (semantically aware) equality. It would also avoid the issue of ordering by just treating it as the dict that it is. The only issue is that it's a half measure; exposes some implementation details but doesn't allow full flexibility |
Any by that I mean "trade off" I think everyone can admit that this is a hard, unsolved usability problem, and it'd be totally reasonable to propose some kind of middle ground experience |
Yeah, the job workflow ref is pretty unfriendly to use from a client/cosign side. On the other hand though, my main problem is that running |
What would the Something like this?
|
Can we close this in favor of #1964 ? (I know that issue is a duplicate of this one so it's not totally fair, but most recent discussion has taken place over there.) |
This also was fixed as of #1626 i believe |
Marking as complete. |
Description
Right now,
--cert-email
only verifies against the cert.EmailAddresses field. If the image was signed by a github actions, there is no way to supply a URI (possibly a regex?) to match against the job_workflow_ref included in the cert URI's field. I'd be interested in doing this, to verify, for e.g. that a container was signed by the correct repository and/or workflow, so that we could use this to pin trust against particular workflows that were meant to generate signatures.cosign verify --cert-uri "username/reponame/.github/workflows/token.yml@refs/heads/master" $IMG
or a regex might be more appropriate
cosign verify --cert-uri-regex "username\/reponame\/.*" $IMG
The text was updated successfully, but these errors were encountered: