-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: support signatures produced with PKCS11 token
The `cosign` tool can produce signatures using a PKCS11 token. These signatures feature a `certificate` annotation inside of their OCI layer. However, when `COSIGN_EXPERIMENTAL` is not enabled, the layer will not feature a Rekor bundle. Prior to this commit, the code assumed signature layers could have a `certificate` annotation only when using the Fulcio integration. Because of that, layers with a `certificate` but without a Rekor bundle were discarded. That was done to ensure the robustness of keyless verification. This commit changes the code that creates `SignatureLayer` objects to not raise errors when an embedded certificate cannot be verified. Be it because it has been forged/invalid/etc or because the Rekor bundle is not found inside of the layer. The resulting `SignatureLayer` will not be discarded, but it will have its `certificate_signature` attribute set to `None`. > **Note:** `SignatureLayer::certificate_signature` was already a `Option` > before of this commit. The verification constraints implementing keyless verification will discard these kind of layers because they do not have a `certificate_signature`. However, the public key based verifier will be able to verify the signature stored inside of the layer. This solves the following scenario: > As a user, > Given Alice signed a container image using a PKCS11 token but without having cosign's Rekor integration enabled > When verifying the container image signature using the public key associated with the certificate stored on her PKCS11 token > Then the container image will be reported as successfully verified Fixes #135 Signed-off-by: Flavio Castelli <fcastelli@suse.com>
- Loading branch information
Showing
2 changed files
with
70 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters