Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix verification of signatures produced with pki11 #142

Merged
merged 3 commits into from
Oct 13, 2022
Merged

fix verification of signatures produced with pki11 #142

merged 3 commits into from
Oct 13, 2022

Commits on Oct 12, 2022

  1. docs: fix outdated inline docs 

    The documentation of the `SignatureLayer::new` method was mentioning
a parameter that no longer exists.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
    @flavio
    flavio committed Oct 12, 2022
    Configuration menu
    Copy the full SHA
    6b4ff41 View commit details
    Browse the repository at this point in the history

  2. fix: support signatures produced with PKCS11 token 

    The `cosign` tool can produce signatures using a PKCS11 token. These
signatures feature a `certificate` annotation inside of their OCI layer.

However, when `COSIGN_EXPERIMENTAL` is not enabled, the layer will not
feature a Rekor bundle.

Prior to this commit, the code assumed signature layers could have a
`certificate` annotation only when using the Fulcio integration. Because
of that, layers with a `certificate` but without a Rekor bundle were
discarded. That was done to ensure the robustness of keyless
verification.

This commit changes the code that creates `SignatureLayer` objects to not
raise errors when an embedded certificate cannot be verified. Be it
because it has been forged/invalid/etc or because the Rekor bundle is
not found inside of the layer.

The resulting `SignatureLayer` will not be discarded, but it will have
its `certificate_signature` attribute set to `None`.

> **Note:** `SignatureLayer::certificate_signature` was already a `Option`
> before of this commit.

The verification constraints implementing keyless verification will
discard these kind of layers because they do not have a
`certificate_signature`.

However, the public key based verifier will be able to verify the
signature stored inside of the layer.

This solves the following scenario:

> Given Alice signed a container image using a PKCS11 token but without having cosign's Rekor integration enabled
> When verifying the container image signature using the public key associated with the certificate stored on her PKCS11 token
> Then the container image will be reported as successfully verified

Fixes sigstore#135

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
    @flavio
    flavio committed Oct 12, 2022
    Configuration menu
    Copy the full SHA
    5b1fae7 View commit details
    Browse the repository at this point in the history

  3. chore: fix a bunch of warnings 

    Address clippy and rustfmt warnings

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
    @flavio
    flavio committed Oct 12, 2022
    Configuration menu
    Copy the full SHA
    51fcde8 View commit details
    Browse the repository at this point in the history