-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for providing a trust root file for private deployments #3700
Comments
sigstore-python has added this via a While SigningConfig is not yet available via TUF, in the future the two client configuration paths should likely be:
The second case could be handled by two separate options ( |
While working on #3139, we made some progress here, but also left some other parts undone. We did add As more Sigstore / There's more than one way this could be done. Two likely implementations both require refactoring
|
We have somewhat already separated out how to fetch trust root material - each time a target is required, a TUF client is initialized and that target is requested, like https://github.com/sigstore/sigstore/blob/main/pkg/fulcioroots/fulcioroots.go. We instead pull trust root material from |
I started going down the path of using existing There's a substantial difference between providing a single certificate chain and supplying a trusted root file. The public good instance periodically rotates its signing material, and so in the public good trusted root file there are two entries for Cosign's current verification path today assumes that you provide one certificate chain. We could change this, of course, to match the logic that's in sigstore-go, but that makes me lean in the direction of using sigstore-go whenever a trusted root is provided. |
@steiza This also gets into the idea of pools over chains which was discussed in sigstore/protobuf-specs#249 - moving towards allowing pools of trusted certs and push chain building to the x509 library rather than rely on a user to build their chains. With what we have currently, I think we can do the same in Cosign even without pools - If you provide a trust root with multiple CAs, then we merge all roots together (assuming the last in the chain is the root) and merge all intermediates together into their respective pools, and then pass that to the verifier. |
We recently added partial trusted root support to cosign when you are verifying a protobuf bundle, but this did not cover the case where you aren't using a bundle. This implements trusted root support for those cases by assembling the disparate signed material into a bundle, fixing some TODOs from when we added protobuf bundle support. Signed-off-by: Zach Steindler <[email protected]>
To help cosign users move from providing disparate verification material to a single file that contains the needed verification material. This makes it easier for users to rotate key material and specify what time period different keys were valid.
To help cosign users move from providing disparate verification material to a single file that contains the needed verification material. This makes it easier for users to rotate key material and specify what time period different keys were valid. Signed-off-by: Zach Steindler <[email protected]>
We should also update https://docs.sigstore.dev/system_config/custom_components/. |
I added sigstore/docs#327 to update the docs. |
I think this has some overlap with #3548, should they maybe be combined? |
These issues should be distinct, though there might be some overlap when implementing. #3548 should fetch the same set of targets as the current implementation, namely the individual target files by name, and also fetching targets by custom metadata using the v1 TUF client. This should effectively be a no-op, as we should fetch the same set of files using both clients. Once we've done that, we can then mark the custom metadata as deprecated. #3700 is about providing a spec-compliant trust root bundle to begin deprecating the many options in Cosign to provide trust root targets. Technically you could use the v1 TUF client to fetch the trust root by file name as well. The overlap is in the merger of both of these, using the newest TUF client to fetch the trust root. I think we can implement each as separate improvements - the TUF v2 client change should be largely invisible to users, and the trust root bundle option shouldn't be a breaking change as it will be in addition to other options. To be discussed more: In Cosign v3, I'd propose removing support for the custom TUF metadata and the individual CLI flags for trust root metadata. I think this is a small enough breaking change that we should see adoption of Cosign v3 quickly. |
We recently added partial trusted root support to cosign when you are verifying a protobuf bundle, but this did not cover the case where you aren't using a bundle. This implements trusted root support for those cases by assembling the disparate signed material into a bundle, fixing some TODOs from when we added protobuf bundle support. Signed-off-by: Zach Steindler <[email protected]>
Description
Goal is to provide a simple interface for users to provide their own roots of trust for services (Rekor, Fulcio, CT log, TSA) by using the "trust root" specification.
Related to #3548, as the public good instance trust root will be provided through TUF.
This will obsolete many open issues around providing root key material. TODO is to find them all and link them here. Long-term, we will deprecate many of the CLI flags and environment variables in favor of using this trust root file.
The text was updated successfully, but these errors were encountered: