remove federation, add contact, description #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The cosign logic for interacting with Fulcio treats identity tokens as *largely* opaque, and most of the logic for how issuers and subjects and whatnot is handled happens server-side. However, for the "proof of possession" `cosign` has some logic (from `sigstore/sigstore`) that fumbles with `email` and `sub` claims in ways that have (until now) been compatible with Fulcio principals. The Chainguard provider is the first provider that optionally includes an `email` claim, but we always want the subject we use to be our opaque identifier string (from `sub`). This creates a tear in the fulcio/cosign continuum, and so we must surface what `cosign` is signing as `Name()` even though that isn't necessarily what we embed in the certificate. The only correct way to implement `Name()` today is to match what this function does, and current implementations happen to align, but unfortunately because of how this abstraction is formulated it is challenging to actually change how we confirm the proof of possession to use this directly in place of the principal itself. Fixes: sigstore/cosign#3777 Signed-off-by: Matt Moore <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over. Ref: sigstore#1111 Add back sigstore#1679 Signed-off-by: Javan lacerda [email protected]
* Bump the all group across 1 directory with 8 updates Bumps the all group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.0` | `1.17.2` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | Updates `cloud.google.com/go/security` from 1.17.0 to 1.17.2 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](googleapis/google-cloud-go@kms/v1.17.0...asset/v1.17.2) Updates `github.com/sigstore/sigstore` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.4...v1.8.6) Updates `google.golang.org/api` from 0.185.0 to 0.187.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.185.0...v0.187.0) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240610135401-a8a62080eff3 to 0.0.0-20240617180043-68d350f18fd4 - [Commits](https://github.com/googleapis/go-genproto/commits) --- updated-dependencies: - dependency-name: cloud.google.com/go/security dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> * update test Signed-off-by: cpanato <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: cpanato <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <[email protected]>
javanlacerda
force-pushed
the
javan.remove-federation-v2
branch
2 times, most recently
from
406ec68 to
9ba1ab2
Compare
Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.47.1 to 0.50.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.47.1...v0.50.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the all group with 1 update: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/setup-go` from 5.0.1 to 5.0.2 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@cdcb360...0a12ed9) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps golang from `fcae9e0` to `829eff9`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.10.0 to 3.11.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](coreos/go-oidc@v3.10.0...v3.11.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Migrate the configuration file from json to yaml Also removes the fulcio-config.yaml file that isn't used Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable. Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration. Ref sigstore#1111 Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
javanlacerda
force-pushed
the
javan.remove-federation-v2
branch
from
aeb7bcd to
c6a61f6
Compare
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Javan Lacerda <[email protected]>
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Javan Lacerda <[email protected]>
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Javan Lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.