Add Sigstore OIDs #18
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Diffs generated by `google/go-cmp` provide more information in case there's a difference between the output generated by the package vs. what's in the known good test files.
|
Also added https://github.com/google/go-cmp so that we get nice output when package output deviates from the known good test files. Example output after changing --- FAIL: TestSigstoreCertInfo (0.01s)
certinfo_test.go:62: 'test_certs/sigstore2.cert.pem' did not match reference 'test_certs/sigstore2.cert.text'
certinfo_test.go:63: Diff follows:
bytes.Join({
... // 1272 identical bytes
":33:25:1A:5F:FE:27:51:DE:8A:17:F3:6A:32:27:90:42:50:51:A3\n ",
" X509v3 Subject Alternative Name: critical\n ",
- "Fulcio",
+ "Sigstore",
" Identity: foo!127.0.0.1\n ",
- "Fulcio",
+ "Sigstore",
" OIDC Issuer:\n http://127.0.0.1:45661\n ",
" RFC6962 Certificate Transparency SCT:\n SCT [0]:\n",
... // 814 identical bytes
}, "")
FAIL
FAIL github.com/smallstep/certinfo 0.153s
FAIL |
maraino
approved these changes
Sep 30, 2022
| buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value))) | ||
| case ext.Id.Equal(oidSigstoreGithubWorkflowSha): | ||
| printExtensionHeader("Sigstore GitHub Workflow SHA Hash", ext, &buf) | ||
| buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value))) |
There was a problem hiding this comment.
The string representation of the ext.Value bytes is the git commit hash. Here's the output for a more recent certificate:
Tagged release https://github.com/symfony-cli/symfony-cli/releases/tag/v5.4.14, pointing to git commit symfony-cli/symfony-cli@550b40f.
For the certificate: https://github.com/symfony-cli/symfony-cli/releases/download/v5.4.14/symfony-cli-5.4.14.aarch64.rpm.pem (after base64 decoding the contents of the pem file; apparently the certificate gets base64 encoded):
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 231541021813795677369205938004025370801348566093 (0x288ea893d078ba2cae17dc7e0ad2fd59eadc5c4d)
Signature Algorithm: ECDSA-SHA384
Issuer: O=sigstore.dev,CN=sigstore-intermediate
Validity
Not Before: Sep 30 07:36:13 2022 UTC
Not After : Sep 30 07:46:13 2022 UTC
Subject:
Subject Public Key Info:
Public Key Algorithm: ECDSA
Public-Key: (256 bit)
X:
d3:f3:6f:48:d5:bf:a0:f7:ca:4c:ad:46:23:18:d0:
a3:4c:bd:fd:85:f9:7e:98:fe:63:75:5f:63:dd:bb:
66:d4
Y:
4a:ec:8e:2b:da:14:d5:6a:df:64:37:d9:24:40:f1:
b7:d7:22:af:11:63:7a:84:f0:20:5b:e6:52:8c:01:
57:a4
Curve: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Subject Key Identifier:
07:C3:27:DD:E1:41:B3:FC:04:A5:BA:36:22:47:27:D1:5F:63:A0:F9
X509v3 Authority Key Identifier:
keyid:DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
X509v3 Subject Alternative Name: critical
URI:https://github.com/symfony-cli/symfony-cli/.github/workflows/releaser.yml@refs/tags/v5.4.14
Sigstore OIDC Issuer:
https://token.actions.githubusercontent.com
Sigstore GitHub Workflow Trigger:
push
Sigstore GitHub Workflow SHA Hash:
550b40f4fb799e5ea3eef8598ad5e9a212e7f2d8
Sigstore GitHub Workflow Name:
Release
Sigstore GitHub Workflow Repository:
symfony-cli/symfony-cli
Sigstore GitHub Workflow Ref:
refs/tags/v5.4.14
RFC6962 Certificate Transparency SCT:
SCT [0]:
Version: V1 (0x0)
LogID: CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I=
Timestamp: Sep 30 07:36:13.078 2022 UTC
Signature Algorithm: SHA256-ECDSA
30:44:02:20:77:1e:79:98:b8:66:75:bb:3d:39:f3:76:c5:0d:
fb:9b:67:2e:58:dc:8e:4b:a8:02:76:e8:e2:9a:59:bd:26:37:
02:20:36:16:b4:24:e4:0b:47:5c:25:3f:b9:9e:56:8e:4d:be:
65:78:e9:ed:04:07:bf:5d:dd:11:95:f1:46:ec:a5:2e
Signature Algorithm: ECDSA-SHA384
30:64:02:30:74:20:df:22:fd:63:26:38:ae:19:b5:fd:34:83:
97:ad:69:8c:04:37:6d:5f:15:f6:b5:98:62:11:32:49:50:d5:
17:05:a9:82:e7:6a:72:59:0a:7f:83:f5:9c:0e:f7:46:02:30:
79:7a:6f:46:32:8e:5c:b4:c3:31:a3:ba:ca:10:56:82:2d:0b:
6e:f9:8f:e7:cb:25:c7:d6:4a:c2:8d:49:0c:7e:00:63:e5:b8:
8f:1e:34:5f:6f:b1:da:7c:e6:18:8d:56
|
@maraino: merging this assuming your question is answered 🙂 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for printing the Sigstore OIDs as described here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
Example output using
step certificate inspectwith a certificate obtained from a GitHub Action run:Example with a Fulcio Identity (OtherName) SAN that was recently added in sigstore/fulcio#802: