Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Github OIDC #180

Merged
merged 2 commits into from
Sep 11, 2021

Conversation

mattmoor
Copy link
Member

This adds support for handing Github's OIDC tokens in addition to Google and SPIFFE.

Github OIDC tokens look something like:

{
  "jti": "0687e989-80d6-42b0-a498-c65e99315f37",
  "sub": "repo:mattmoor/stupid-example:ref:refs/heads/main",
  "aud": "sigstore",
  "ref_protected": "false",
  "job_workflow_ref": "mattmoor/stupid-example/.github/workflows/my-action.yaml@refs/heads/main",
  "iss": "https://vstoken.actions.githubusercontent.com",
  "nbf": 1631210221,
  "exp": 1631211121,
  "iat": 1631210821
}

This change verifies things against the iss endpoint, and encodes the
job_workflow_ref into the x509 cert as a URI by prefixing it as:

https://github.com/{job_workflow_ref}

With the example:

https://github.com/mattmoor/stupid-example/.github/workflows/my-action.yaml@refs/heads/main

I verified this works** with a local Fulcio setup and some identity tokens I
exfiltrated from actions for the test.

** - The major caveat was that I had to tweak more than I'd have liked to for
my test because things currently use the v1beta1 API, and I had to rejigger
things to use v1 for my local test. I chatted a bunch with @dlorenc about
v1 migration, and the major concern is the backwards compatibility with
the current Fulcio cert, so these changes have those pieces backed out.

/assign @dlorenc

This adds support for handing Github's OIDC tokens in addition to Google and SPIFFE.

Github OIDC tokens look something like:

```json
{
  "jti": "0687e989-80d6-42b0-a498-c65e99315f37",
  "sub": "repo:mattmoor/stupid-example:ref:refs/heads/main",
  "aud": "sigstore",
  "ref_protected": "false",
  "job_workflow_ref": "mattmoor/stupid-example/.github/workflows/my-action.yaml@refs/heads/main",
  "iss": "https://vstoken.actions.githubusercontent.com",
  "nbf": 1631210221,
  "exp": 1631211121,
  "iat": 1631210821
}
```

This change verifies things against the `iss` endpoint, and encodes the
`job_workflow_ref` into the x509 cert as a URI by prefixing it as:
```
https://github.com/{job_workflow_ref}
```

I verified this works with a local Fulcio setup and some identity tokens I
exfiltrated from actions for the test.  The major caveat was that I had
to tweak more than I'd have liked to for my test because things currently
use the v1beta1 API, and I had to rejigger things to use v1 for my local
test.

I chatted a bunch with `@dlorenc` about v1 migration, and the major concern
is the backwards compatibility with the current Fulcio cert, so these
changes have those pieces backed out.

Signed-off-by: Matt Moore <mattomata@gmail.com>
Signed-off-by: Matt Moore <mattomata@gmail.com>
@dlorenc dlorenc merged commit 8338b37 into sigstore:main Sep 11, 2021
@cpanato cpanato added this to the 0.2.0 milestone Sep 11, 2021
@mattmoor mattmoor deleted the support-github-actions-oidc branch September 11, 2021 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants