Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds keyless signatures documentation #56

Merged
merged 4 commits into from
Feb 8, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions content/en/cosign/keyless.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
---
title: "Keyless Signatures"
category: "Cosign"
position: 122
---

You can review the [full design document](https://docs.google.com/document/d/1461lQUoVqbhCve7PuKNf-2_NfpjrzBG5tFohuMVTuK4/edit#) for more details.
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved

This document explains how the keyless signatures work in Cosign. This signature mode relies on the Sig store Public Good Instance.
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved

The following examples use this image:

```shell
$ IMAGE=gcr.io/dlorenc-vmtest2/demo
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
$ IMAGE_DIGEST=$IMAGE@sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36
```

## Usage

Keyless signing:

```shell
$ COSIGN_EXPERIMENTAL=1 cosign sign $IMAGE_DIGEST
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5556%2Fauth%2Fgoogle%2Fcallback&response_type=code
Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig
```

Keyless verifying:

```shell
$ COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE
The following checks were performed on all of these signatures:
- The cosign claims were validated
- The claims were present in the transparency log
- The signatures were integrated into the transparency log when the certificate was valid
- Any certificates were verified against the Fulcio roots.
Certificate subject: dlorenc@google.com
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36"},"Type":"cosign container image signature"},"Optional":null}
```

The rest of the flags (annotations, claims, tlog, etc.) should all work the same.

## Overview

This uses ephemeral keys and certificates, which are signed automatically by the `fulcio` CA.
Signatures are stored in the `rekor` transparency log, which automatically provides an attestation
as to when the signature was created.

Information on the `fulcio` CA can be found in the [fulcio repository](https://github.com/sigstore/fulcio).

### Keys
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved

The root CA keys are hard-coded in Cosign today.
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
They can only be changed by recompiling the binary.
This will be made more configurable in the future.

> TODO: Add more documentation here.

### OAuth Flows

Cosign supports two OAuth flows today: the standard flow and the device flow.

When there is no terminal attached (non-interactive mode), Cosign will automatically use the device flow
where a link is printed to stdout.
This link must be opened in a browser to complete the flow.

### Identity Tokens

In automated environments, Cosign also supports directly using OIDC Identity Tokens from specific issuers.
These can be supplied on the command line with the `--identity-token` flag.
The `audiences` field must contain `sigstore`.

Cosign also has support for detecting some of these automated environments
and producing an identity token. Currently this supports Google Compute Engine, GitHub Actions and SPIFFE tokens.

#### On GCP

From a GCE VM, you can use the VM's service account identity to sign an image:

```shell
$ IDENTITY_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore)
$ cosign sign --identity-token=$IDENTITY_TOKEN $IMAGE_DIGEST
```

From outside a GCE VM, you can impersonate a GCP IAM service account to sign an image:

```shell
$ IDENTITY_TOKEN=$(gcloud auth print-identity-token \
--audiences=sigstore \
--include-email \
--impersonate-service-account my-sa@my-project.iam.gserviceaccount.com)
$ cosign sign --identity-token=$IDENTITY_TOKEN $IMAGE_DIGEST
```

In order to impersonate an IAM service account, your account must have the
`roles/iam.serviceAccountTokenCreator` role.

**Note**: On Google Cloud Build, standard identity tokens are not supported through the GCE metadata server.
Cosign has a special flow for this case, where you can instruct the Cloud Build service account to impersonate
another service account.
To configure this flow:

1. Create a service account to use for signatures (the email address will be present in the certificate subject).
2. Grant the Cloud Build service account the `roles/iam.serviceAccountTokenCreator` role for this target account.
3. Set the `GOOGLE_SERVICE_ACCOUNT_NAME` environment variable to the name of the target account in your cloudbuild.yaml
4. Sign images in GCB, without keys!

### Timestamps

ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
Signature timestamps are checked in the [rekor](https://github.com/sigstore/rekor) transparency log. Rekor's `IntegratedTime` is signed as part of its `signedEntryTimestamp`. Cosign verifies the signature over the timestamp and checks that the signature was created while the certificate was valid.

> TODO: Add more documentation here

## Public Staging Environment
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved


There is a public staging environment that is running Fulcio, Rekor and OIDC issuer.

**NOTE** The staging environment provides no SLO guarantees nor the same protection of the root key material for TUF. This environment is meant for development and testing only, PLEASE do not use for production purposes.

The endpoints are as follows:

* https://fulcio.sigstage.dev
* https://rekor.sigstage.dev
* https://oauth2.sigstage.dev/auth

These instances are operated and maintained in the same manner as the public production environment for Sigstore.

### Usage

To use this instance, follow the steps below:

1. `rm -r ~/.sigstore`
1. `gsutil cp -r gs://tuf-root-staging/root.json .`
1. `cd tuf-root-staging`
1. `cosign initialize --mirror=tuf-root-staging --root=root.json`
1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE_DIGEST}`
1. `COSIGN_EXPERIMENTAL=1 cosign verify --rekor-url "https://rekor.sigstage.dev" ${IMAGE}`

* Steps 1-4 configures your local environment to use the staging keys and certificates.
* Step 5 specify the staging environment with flags needed for signing.
* Step 6 specify the staging environment with flags needed for verifying.

#### Revert back to Production

We need to clear the local TUF root data and re-initialize with the default production TUF root data.

1. `rm -r ~/.sigstore`
1. `cosign initialize`

## Custom Infrastructure
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved

If you're running your own sigstore services flags are available to set your own endpoint's, e.g

```
COSIGN_EXPERIMENTAL=1 cosign sign -oidc-issuer "https://oauth2.example.com/auth" \
ChrisJBurns marked this conversation as resolved.
Show resolved Hide resolved
-fulcio-url "https://fulcio.example.com" \
-rekor-url "https://rekor.example.com" \
$IMAGE_DIGEST

```

### Custom root Cert

You can override the public good instance CA using the environment variable `SIGSTORE_ROOT_FILE`, e.g.

```
export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem"
```
8 changes: 1 addition & 7 deletions content/en/cosign/sign.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,7 @@ If you need to generate local keys, you can do so by running `cosign generate-ke

## Keyless signing

You can use Cosign to sign without keys by authenticating with an OIDC (OpenID Connect) protocol supported by Sigstore. Currently, you can authenticate with Google, GitHub, or Microsoft.

```shell
$ COSIGN_EXPERIMENTAL=1 cosign sign user/demo
```

This will open a browser window to authenticate your credentials for the signature.
You can use Cosign to sign with ephemeral keys by authenticating with an OIDC (OpenID Connect) protocol supported by Sigstore. Currently, you can authenticate with Google, GitHub, or Microsoft. For more information, read [Keyless Signatures](/cosign/keyless/).

## Sign a container multiple times

Expand Down