-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add more workflow information for Github workflow certificates (sha, run) #208
Comments
@laurentsimon FYI |
Would it be useful to have a provider-agnostic extension? |
Yeah that's doable -- we just have a prefix reserved (1.3.6.1.4.1.57264), and we can start using them as we please! Right now Bob's planning on using 1.1 for issuer context, provide-agnositc. I'm not sure how conventions work here. should 1.2 be commit sha and 1.3 be trigger? or should they be bundled in some way? |
cc @bobcallaway |
Or barring privacy concerns around logging the full github token in rekor (are there any? maybe private workflows?) maybe we can serialize the whole token and stick it in a single extension? |
yeah that's what I was thinking too: |
Side note: @dlorenc got the same effect as this by signing with annotations on the sha/commit. I think it's still useful to have this information in the cert in case it's not a cosign container sig being created (just a signature on an artifact, and this info can come from the cert) |
@asraa Good to close this issue as fixed? |
Yes! Fixed |
Description
It would be good to have information on the sha that the builder is requesting a certificate for in the case of a github workflow. this would allow a user to authenticate when the workflow was running, and trust that a builder is signing on a specific sha (if branch protection is off at some point in a repo, anyone can make a malicious signed artifact with a builder in their malicious branch)
This will help getting repos up to SLSA 2!
Related:
#204
The text was updated successfully, but these errors were encountered: