Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify-blob: add URI to verify-blob output #1047

Merged
merged 1 commit into from
Nov 16, 2021
Merged

verify-blob: add URI to verify-blob output #1047

merged 1 commit into from
Nov 16, 2021

Conversation

shibumi
Copy link
Contributor

@shibumi shibumi commented Nov 13, 2021
edited
Loading

Summary

Adds an URI field to the verify-blob output.

Before this PR:

❯ COSIGN_EXPERIMENTAL=1  cosign verify-blob /tmp/mnemonic-0.3.1.tar.gz --signature /tmp/mnemonic-0.3.1.tar.gz.sig
Certificate is trusted by Fulcio Root CA
Email: []
Verified OK
tlog entry verified with uuid: "228527476f82c59641e27b8fb9b32f5fadbe47cf42c544ea97dc798490c4c14e" index: 853327

After this PR:

❯ COSIGN_EXPERIMENTAL=1  ./cosign verify-blob /tmp/mnemonic-0.3.1.tar.gz --signature /tmp/mnemonic-0.3.1.tar.gz.sig
Certificate is trusted by Fulcio Root CA
Email: []
URI: https://github.com/shibumi/mnemonic/.github/workflows/goreleaser.yml@refs/tags/v0.3.1
Issuer:  https://token.actions.githubusercontent.com
Verified OK
tlog entry verified with uuid: "228527476f82c59641e27b8fb9b32f5fadbe47cf42c544ea97dc798490c4c14e" index: 853327

Ticket Link

Fixes #1046

Release Note

verify-blob gained functionality for printing the URIs of the certificate if there are any.

@shibumi shibumi marked this pull request as draft November 13, 2021 23:31
@shibumi
Copy link
Contributor Author

shibumi commented Nov 13, 2021
edited
Loading

@dlorenc do you know how I get this information here?

            1.3.6.1.4.1.57264.1.1:
                https://token.actions.githubusercontent.com

Is it encoded as ASN1 struct in one of the other certificate fields?

@shibumi shibumi force-pushed the shibumi/add-uri-to-verify-blob branch from d65d50d to e1d4673 Compare November 13, 2021 23:48
@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

This part works for printing the certificate extension:

		for _, ext := range cert.Extensions {
			oidc := asn1.ObjectIdentifier{1,3,6,1,4,1,57264,1,1}
			if ext.Id.Equal(oidc) {
				fmt.Fprintln(os.Stderr, "1.3.6.1.4.1.57264.1.1: ", string(ext.Value))
			}
		}

But I have no idea if we might encounter more of these and if the certificate extension is always the same.
We might want to put that ObjectIdentifier as constant somewhere else.

@shibumi shibumi force-pushed the shibumi/add-uri-to-verify-blob branch from e1d4673 to 1401096 Compare November 14, 2021 00:08
@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

I am not really convinced yet if printing the x509 extension/object identifier value is a good idea.
I assume that the current object identifier (the hard coded one) is only valid for Github, is this correct?

And throwing all values to the user might be more confusing than it actually helps.

If the object identifier stays the same, it makes sense to include it. If not, we might just use the URIs?!

@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

Further investigation later. Looks like this OID stays the same:

http://www.oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.57264&a=display

@shibumi
verify-blob: add URI to verify-blob output
c48e4ec 
We should print the URIs mentioned in the certificate, if there are any.

Signed-off-by: Christian Rebischke <[email protected]>
@shibumi shibumi force-pushed the shibumi/add-uri-to-verify-blob branch from 1401096 to c48e4ec Compare November 14, 2021 01:24
@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

New Output:

Certificate is trusted by Fulcio Root CA
Email: []
URI: https://github.com/shibumi/mnemonic/.github/workflows/goreleaser.yml@refs/tags/v0.3.1
Issuer:  https://token.actions.githubusercontent.com
Verified OK
tlog entry verified with uuid: "228527476f82c59641e27b8fb9b32f5fadbe47cf42c544ea97dc798490c4c14e" index: 853327

@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

@dlorenc Would it make sense to give verify operations a format flag for machine-readable output? Or is this over the top?

@dlorenc
Copy link
Member

dlorenc commented Nov 14, 2021

Would it make sense to give verify operations a format flag for machine-readable output? Or is this over the top?

I think this makes sense, just a plain json output?

@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

Yes, just a plain json output, but I think it makes sense to address this in another issue.

If we implement a format flag, we have to stay persistent with the JSON schema. People would rely on it, because it is machine readable.

I will create a separate issue for this.

@shibumi
Copy link
Contributor Author

shibumi commented Nov 14, 2021

Done: Separate Issue for JSON output: #1048

@shibumi shibumi marked this pull request as ready for review November 15, 2021 23:16
@dlorenc dlorenc merged commit d48fe25 into sigstore:main Nov 16, 2021
@github-actions github-actions bot added this to the v1.4.0 milestone Nov 16, 2021
@shibumi shibumi mentioned this pull request Nov 16, 2021
Closed
@shibumi shibumi deleted the shibumi/add-uri-to-verify-blob branch November 16, 2021 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

More information about the certificate during verify operations
2 participants
@shibumi @dlorenc