Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add more workflow information for Github workflow certificates (sha, run) #208

Closed
asraa opened this issue Oct 18, 2021 · 9 comments
Closed

Add more workflow information for Github workflow certificates (sha, run) #208

asraa opened this issue Oct 18, 2021 · 9 comments
Labels
enhancement New feature or request

Comments

@asraa
Copy link
Contributor

asraa commented Oct 18, 2021
edited
Loading

Description

It would be good to have information on the sha that the builder is requesting a certificate for in the case of a github workflow. this would allow a user to authenticate when the workflow was running, and trust that a builder is signing on a specific sha (if branch protection is off at some point in a repo, anyone can make a malicious signed artifact with a builder in their malicious branch)

This will help getting repos up to SLSA 2!

Related:
#204
@asraa asraa added the enhancement New feature or request label Oct 18, 2021
@laurentsimon
Copy link

@laurentsimon FYI

@laurentsimon
Copy link

Would it be useful to have a provider-agnostic extension?
Say we have Google and GitHub providers. Depending on context, we may want to add additional information (in the case of this issue, a commit hash): will the OID have a {provider type, datablob} structure?
I don't think we want to create a new extension every time a provider needs to add additional context to the cert.
wdut?

@asraa
Copy link
Contributor Author

asraa commented Oct 20, 2021

Would it be useful to have a provider-agnostic extension?

Yeah that's doable -- we just have a prefix reserved (1.3.6.1.4.1.57264), and we can start using them as we please!

Right now Bob's planning on using 1.1 for issuer context, provide-agnositc. I'm not sure how conventions work here. should 1.2 be commit sha and 1.3 be trigger? or should they be bundled in some way?

@asraa
Copy link
Contributor Author

asraa commented Oct 20, 2021

cc @bobcallaway

@asraa
Copy link
Contributor Author

asraa commented Oct 20, 2021

Or barring privacy concerns around logging the full github token in rekor (are there any? maybe private workflows?) maybe we can serialize the whole token and stick it in a single extension?

@laurentsimon
Copy link

laurentsimon commented Oct 20, 2021
edited
Loading

yeah that's what I was thinking too: version || len_provider_name || provider_name || provider_version || len_serialize_data || serialized_data. provider_version probably not necessary.

@asraa asraa mentioned this issue Nov 1, 2021
Merged
@asraa
Copy link
Contributor Author

asraa commented Nov 2, 2021

Side note: @dlorenc got the same effect as this by signing with annotations on the sha/commit.

I think it's still useful to have this information in the cert in case it's not a cosign container sig being created (just a signature on an artifact, and this info can come from the cert)

@asraa asraa mentioned this issue Nov 2, 2021
Closed
@haydentherapper
Copy link
Contributor

@asraa Good to close this issue as fixed?

@asraa
Copy link
Contributor Author

asraa commented Jun 1, 2022

Yes! Fixed

@asraa asraa closed this as completed Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asraa @haydentherapper @laurentsimon