Configure additional certificate extensions for Buildkite

The Buildkite Issuer was added in sigstore#890, prior to the efforts to standardise certificate extensions for CI providers, and sigstore#1074 calls for the Buildkite issuer to be updated to use the new extensions (where applicable). This is an early attempt to make those changes. I initially started these in sigstore#1307, however is is a new swing at it using the new CIProvider issuer (see sigstore#1729 and sigstore#1743). I've added the extensions that make the most sense in a Buildkite context, like RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the other extensions don't apply because we're not a code host as well, or need further discussion. I have not added tests yet. This is my first contribution to fulcio and I'm keen to confirm I'm heading in the right direction before adding tests. However, I have tested this locally with a Buildkite agent and OIDC token, and the certificate was issued as expected. I started a local fulcio like this: $ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml ... and signed git commits with gitsign. The relevant bits of the certificates look like: git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Subject Key Identifier: 36:D2:99:B9:BA:98:4B:3A:77:51:DC:08:05:83:12:9A:F4:EE:41:E5 X509v3 Authority Key Identifier: D2:41:21:29:23:AD:E9:27:69:6F:DB:85:6D:1B:3F:7E:A9:55:F3:02 X509v3 Subject Alternative Name: critical URI:https://buildkite.com/yob-opensource/oidc-signing-experiment 1.3.6.1.4.1.57264.1.1: https://agent.buildkite.com 1.3.6.1.4.1.57264.1.8: ..https://agent.buildkite.com 1.3.6.1.4.1.57264.1.11: ..self-hosted 1.3.6.1.4.1.57264.1.13: .(078a6dd4a32fa40592c21a40aedaf27105503140 1.3.6.1.4.1.57264.1.20: ..ui 1.3.6.1.4.1.57264.1.21: .khttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/52#01943a38-f93e-4355-abe8-90a30369c270 Signed-off-by: James Healy <james@buildkite.com>
yob · Jan 9, 2025 · d5e7817 · d5e7817
1 parent 257a3a9
commit d5e7817
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -236,4 +236,13 @@ ci-issuer-metadata:
   *buildkite-type:
     default-template-values:
       url: "https://buildkite.com"
-    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"
+    extension-templates:
+      # Link to the specific Buildkite job that the OIDC token was generated from
+      run-invocation-uri: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}/builds/{{.build_number}}#{{.job_id}}"
+      # Was the job executed on Buildkite operated compute or customer hosted compute? (valid values: self-hosted, buildkite-hosted)
+      runner-environment: "runner_environment"
+      # The git sha that job was running, available in the `build_commit` claim
+      source-repository-digest: "build_commit"
+      # build_source: Event that triggered this workflow run. (valid values: api, ui, webhook, trigger_job, schedule)
+      build-trigger: "build_source"
+    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" # seems correct, do we still need the code in pkg/identity/buildkite/principal.go ?