-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add --ca-roots and --ca-intermediates flags to 'cosign verify' #3464
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3464 +/- ##
==========================================
- Coverage 40.10% 36.44% -3.66%
==========================================
Files 155 200 +45
Lines 10044 12282 +2238
==========================================
+ Hits 4028 4476 +448
- Misses 5530 7260 +1730
- Partials 486 546 +60 ☔ View full report in Codecov by Sentry. |
@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft? |
8fb3141
to
fca88dc
Compare
@haydentherapper marked as "ready for review" now. I thought about adding unit tests - but I believe the current implementation with the "big" |
323e003
to
9954fe2
Compare
8e49130
to
22350e9
Compare
e770d38
to
e7375fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given this is a more sensitive change, cc'ing a few others for thoughts - @woodruffw @kommendorkapten PTAL.
pkg/cosign/verify.go
Outdated
// ValidateAndUnpackCertWithCertPools creates a Verifier from a certificate. Verifies that the certificate | ||
// chains up to the provided root. CheckOpts should contain a pool of CA Roots and optionally the Intermediates. | ||
// Optionally verifies the subject and issuer of the certificate. | ||
func ValidateAndUnpackCertWithCertPools(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given this is only used in one place, can we just call ValidateAndUnpackCert
directly? I believe if no roots are provided, verification will fail so we don't need an explicit check, though it would be good to have a unit test to confirm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[FYI] I tried to "combine" the two functions but was getting test failures with cosign attach flows - likely I have missed some code paths. Backed up to the state that you reviewed for now to get into the green build zone - will try again "with smaller steps."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got rid of the "special" function ValidateAndUnpackCertWithCertPools
in 44e0ff5.
Do you think I should remove this check?
https://github.com/sigstore/cosign/pull/3464/files#diff-fc9a26a4caa1d8684a4bdd9102f187f44e1f7fce7c06a19f4185035f13317cc8R296-R298
if co.RootCerts == nil {
return errors.New("no CA roots provided to validate certificate")
}
I would think it can be good to fail earlier with possibly more explicit error what have gone wrong, to make for easier troubleshooting (if it ever gets triggered). Let me know if you prefer this yanked @haydentherapper. I will also look into adding or expanding the unit tests, as you mentioned above.
78c7400
to
1c1deda
Compare
3a90f30
to
989f2c0
Compare
Related to issue sigstore#3462. Current commit adds the flag to verify the CLI options. The new flag doesn't have any effect yet (will add in follow-up PRs). Signed-off-by: Dmitry S <dsavints@gmail.com>
Add --ca-roots command-line flag for 'cosign verify' to enable verifying cosign signatures using PEM bundles of CA roots. Whether to also add --ca-intermediates flag is TBD. Unit tests will be added in the next commit(s). Fixes sigstore#3462. Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry Savintsev <dsavints@yahooinc.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dmitris, thanks for pushing this through. This looks good, and from comparing to the last review, reusing ValidateAndUnpackCert
keeps this much cleaner. And the tests look great. I pointed out a few duplicate tests that are in another e2e_test file, can they be removed?
Can you add the duplicated CLI options for verify-blob, verify-attestation, and verify-blob-attestation now?
cmd.Flags().StringVar(&o.CAIntermediates, "ca-intermediates", "", | ||
"path to a file of intermediate CA certificates in PEM format which will be needed "+ | ||
"when building the certificate chains for the signing certificate. "+ | ||
"The flag is optional and must be used together with --ca-roots, conflicts with "+ | ||
"--certificate-chain.") | ||
_ = cmd.Flags().SetAnnotation("ca-intermediates", cobra.BashCompFilenameExt, []string{"cert"}) | ||
cmd.Flags().StringVar(&o.CARoots, "ca-roots", "", | ||
"path to a bundle file of CA certificates in PEM format which will be needed "+ | ||
"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.") | ||
_ = cmd.Flags().SetAnnotation("ca-roots", cobra.BashCompFilenameExt, []string{"cert"}) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for raising this issue back up, but to summarize how I'm looking at this:
- We know
--trusted-root
is the route we eventually want to take. We are slowly adding sigstore-go dependencies in Cosign. Once we add support for trusted-root, we will deprecate all other options for providing trust root information, including the one proposed here. With that said, deprecation will take time. - The current trust root spec supports chains rather than pools, as noted in this issue. We need to add support for pools to match this PR.
I'm fine moving forward with this because it unblocks @dmitris's use-case. While it is adding more complexity around how roots are provided, there are already a number of ways that adding one more doesn't add much more complexity. We should concurrently discuss moving sigstore/protobuf-specs#249 forward.
Signed-off-by: Dmitry S <dsavints@gmail.com>
Signed-off-by: Dmitry S <dsavints@gmail.com>
Chatted offline with @dmitris who will follow up in a second PR with the updates to the other verify-* commands. |
Summary
Add new
--ca-roots
and--ca-intermediates
flags to allow pass a certificate bundle PEM file with multiple CA roots and optionally a file with the intermediate certificates. Related to issue #3462. Current commit adds the two flags to verify the CLI options. There is a new functional test filetest/e2e_tsa_certbundle.sh
for the new flags tocosign verify
.Release Note
added --ca-roots and
--ca-intermediates
flags to take a certificate bundle PEM file with one or multiple CA roots and optionally a PEM file with intermediate certificates. Both flags are exclusive with--certificate-chain
.Documentation
sigstore/docs#291