-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to get the Fulcio root certificate securely in verify-blob
?
#2134
Comments
Hi @wata727! Thanks for the very thoughtful question, this is great. You are exactly correct that that way does not verify the certificate chain. I think this was noted in a prior issue, but I can't find it right now.
Correct.
Yes, actually This is the code run to It creates a new TUF environment and gets the targets by name of the file or usage. This is also what's called when you run cosign initialize. That local cache is a full TUF repository that chains up to an embedded root in cosign, as is the Honestly, by default, if no certificate chain is provided, then we SHOULD verify against the root pool retrieved from @haydentherapper do you know if there was any discussion about this? |
There hasn't been discussion about that. It'd be changing this behavior or this. Originally I will guess the thought was that by providing only the certificate, it's just a vehicle for providing the public key. |
Thank you for answering my question.
Agreed.
Thank you for your comment. I've opened a PR to change the behavior. I would be happy to discuss the implementation here #2139. |
#2139 is merged. With this fix, the certificate chain will be verified against the Fulcio root trust by default if you pass the The answer to this question is "Fulio root trust is retrieved automatically, so you don't need to pass it with Thank you again to everyone who answered the question and participated in the code review. |
First of all, thank you for the great project and everyone involved in it. I'm a maintainer of an OSS project using cosign to sign release binaries. Our project uses GoReleaser for signing, and we run the following commands on the checksum:
https://github.com/terraform-linters/tflint/blob/e7668cb182999e93a2e79534968d8ad686c14f14/.goreleaser.yml#L26-L37
To verify this, we provide a verification example as follows:
https://github.com/terraform-linters/tflint/blob/e7668cb182999e93a2e79534968d8ad686c14f14/README.md#verification
However, I understand that this way does not verify the
checksum.txt.pem
's certificate chain against the Fulcio root trust, so it is not sufficient:https://github.com/sigstore/cosign/blob/v1.10.1/cmd/cosign/cli/verify/verify_blob.go#L122-L129
To avoid this, I understand that I need to pass the Fulcio root certificate with the
--certificate-chain
option:https://github.com/sigstore/cosign/blob/v1.10.1/cmd/cosign/cli/verify/verify_blob.go#L131-L139
Now the question is, how can I get this root certificate securely?
I have confirmed that I can get certificates locally using TUF by
cosign initialize
. I can use this to build a certificate chain like this:But I'm not sure I can trust this local cache. In my opinion, it's safest to also get this root certificate by the TUF client, like
COSIGN_EXPERIMENTAL=1 cosign verify-blob
:https://github.com/sigstore/cosign/blob/v1.10.1/cmd/cosign/cli/verify/verify_blob.go#L220-L227
What do you think about this? Is there a better way?
The text was updated successfully, but these errors were encountered: