fix verification of signatures produced with pki11 #142
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The documentation of the `SignatureLayer::new` method was mentioning a parameter that no longer exists. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
The `cosign` tool can produce signatures using a PKCS11 token. These signatures feature a `certificate` annotation inside of their OCI layer. However, when `COSIGN_EXPERIMENTAL` is not enabled, the layer will not feature a Rekor bundle. Prior to this commit, the code assumed signature layers could have a `certificate` annotation only when using the Fulcio integration. Because of that, layers with a `certificate` but without a Rekor bundle were discarded. That was done to ensure the robustness of keyless verification. This commit changes the code that creates `SignatureLayer` objects to not raise errors when an embedded certificate cannot be verified. Be it because it has been forged/invalid/etc or because the Rekor bundle is not found inside of the layer. The resulting `SignatureLayer` will not be discarded, but it will have its `certificate_signature` attribute set to `None`. > **Note:** `SignatureLayer::certificate_signature` was already a `Option` > before of this commit. The verification constraints implementing keyless verification will discard these kind of layers because they do not have a `certificate_signature`. However, the public key based verifier will be able to verify the signature stored inside of the layer. This solves the following scenario: > Given Alice signed a container image using a PKCS11 token but without having cosign's Rekor integration enabled > When verifying the container image signature using the public key associated with the certificate stored on her PKCS11 token > Then the container image will be reported as successfully verified Fixes sigstore#135 Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio
force-pushed
the
fix-verification-of-signatures-produced-with-pki11
branch
from
523650e to
5b1fae7
Compare
Address clippy and rustfmt warnings Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio
force-pushed
the
fix-verification-of-signatures-produced-with-pki11
branch
from
b337376 to
51fcde8
Compare
viccuad
reviewed
Oct 13, 2022
| SigstoreError::SigstoreFulcioCertificatesNotProvidedError | ||
| )); | ||
| ); | ||
| assert!(cert.is_none()); |
There was a problem hiding this comment.
I think the test functions should be renamed now, e.g:
get_certificate_signature_from_annotations_fails_when_no_bundle_is_given()
get_certificate_signature_from_annotations_fails_when_no_fulcio_pub_key_is_given()
should be renamed to [...]_returns_none()
viccuad
approved these changes
Oct 13, 2022
|
I like this approach. This PR fix #135 by not failing if the certificate in the |
flavio
added a commit
to flavio/sigstore-rs
that referenced
this pull request
Oct 13, 2022
Fixes ===== * fix verification of signatures produced with PKI11 (sigstore#142) Others ====== * Update rsa dependency to stable version 0.7.0 (sigstore#141) * Bump actions/checkout from 3.0.2 to 3.1.0 (sigstore#140) Contributors ============ * Flavio Castelli (@flavio) * Xynnn (@Xynnn007) Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
cosigntool can produce signatures using a PKCS11 token. These signatures feature acertificateannotation inside of their OCI layer.However, when
COSIGN_EXPERIMENTALis not enabled, the layer will not feature a Rekor bundle.Prior to this commit, the code assumed signature layers could have a
certificateannotation only when using the Fulcio integration. Because of that, layers with acertificatebut without a Rekor bundle were discarded. That was done to ensure the robustness of keyless verification.This commit changes the code that creates
SignatureLayerobjects to not raise errors when an embedded certificate cannot be verified. Be it because it has been forged/invalid/etc or because the Rekor bundle is not found inside of the layer.The resulting
SignatureLayerwill not be discarded, but it will have itscertificate_signatureattribute set toNone.The verification constraints implementing keyless verification will discard these kind of layers because they do not have a
certificate_signature.However, the public key based verifier will be able to verify the signature stored inside of the layer.
This solves the following scenario:
Fixes #135