Added signing and verification workflows #122
Conversation
|
|
||
| 1. **Generate signature:** Using notation CLI or any other compliant signing tool, sign the OCI artifact. The signing tool should follow the following guideline. | ||
| 1. Verify that the signing certificate is valid and satisfies [certificate requirements](./signature-specification.md#certificate-requirements). | ||
| 1. Verify that the signing algorithm satisfies [algorithm requirements](./signature-specification.md#signature-algorithm-requirements). |
There was a problem hiding this comment.
The signing algorithm MUST implement the Notary v2 algorithm requirements.
| 1. Generate signature. | ||
| 1. Generate signature using signature formats specified in [supported signature envelopes](./signature-specification.md#supported-signature-envelopes). | ||
| 1. Obtain an [RFC-3161](https://datatracker.ietf.org/doc/html/rfc3161.html) compliant timestamp for the signature generated in the previous step. This step is optional but recommended. | ||
| 1. Verify that the timestamp signing certificate satisfies [certificate requirements](./signature-specification.md#certificate-requirements). |
There was a problem hiding this comment.
If provided, the timestamp signing certificate MUST satisfy certificate requirements.
| 1. Generate signature using signature formats specified in [supported signature envelopes](./signature-specification.md#supported-signature-envelopes). | ||
| 1. Obtain an [RFC-3161](https://datatracker.ietf.org/doc/html/rfc3161.html) compliant timestamp for the signature generated in the previous step. This step is optional but recommended. | ||
| 1. Verify that the timestamp signing certificate satisfies [certificate requirements](./signature-specification.md#certificate-requirements). | ||
| 1. Verify that the timestamp signing algorithm satisfies [algorithm requirements](./signature-specification.md#signature-algorithm-requirements). |
There was a problem hiding this comment.
The timestamp signing algorithm MUST satisfy the Notary v2 algorithm requirements.
|
|
||
|  |
There was a problem hiding this comment.
Visuals are always helpful. Perhaps a slightly simplified version, but it would be great to bring a simplified version back.
There was a problem hiding this comment.
Yep, visuals are helpful but in this case it was becoming complicated so had to remove. I can try to create simplified version of it.
There was a problem hiding this comment.
Thanks @priteshbandi for all the details. Mostly nits, with a bit more details in some places.
| - **Delta CRLs:** Contains only certificates that have changed status since the last base CRL was published. Delta CRLs are signed by the certificate issuing CAs. | ||
| - **Indirect CRLs:** Special Case in which BaseCRLs and Delta CRLs are not signed by the certificate issuing CAs, instead they are signed with a completely different certificate. | ||
|
|
||
| Notary v2 MUST support BaseCRLs and Delta CRLs. Notary v2 MAY support Indirect CRLs. Notary v2 supports only HTTP CRL URLs. |
There was a problem hiding this comment.
Just a note:
There are lots of ideas around how to improve the CRL models, but I'll leave those for later and we'll lean into the existing infra and work to improve it as incremental work.
| 1. Validate the signature envelope using trust-store and trust-policy as mentioned in [signature evaluation](./trust-store-trust-policy-specification.md#signature-evaluation) section. | ||
| 1. If signature validation fails, skip the below steps and move to the next signature artifact descriptor(step 2.1). If all signature artifact manifests have already been processed, fail the signature verification and exit. | ||
| 1. If signature validation succeeds, compare the digest derived from the given OCI artifact reference with the signed digest present in the signature envelope's payload. If digests are equal, signature verification is considered successful. Otherwise, move to the next signature artifact descriptor(step 2.1). If all signature artifact descriptors have already been processed, fail the signature verification and exit. | ||
| 1. **Get OCI artifact:** Using the verified digest, download the OCI artifact. This step is not in the purview of Notary v2. |
There was a problem hiding this comment.
The signed payload of a signature contains the descriptor of the target OCI artifact, which includes digest, size, and media type.
Instead of using the verified digest, we should say using the verified descriptor.
There was a problem hiding this comment.
Have mentioned digest instead of descriptor because we haven't verified the descriptor inside the signature envelope with the actual OCI artifact's descriptor (the one stored in the registry).
|
|
||
| If the certificate revocation trust-store setting is set to `skip`, skip the below steps. Otherwise, check for revocation status for certificate and certificate chain. | ||
|
|
||
| 1. If the revocation status of any of the certificates cannot be determined (revocation unavailable) and `signingIdentityRevocation` is set to either `enforceWithFailClose` or `warn` then log a warning and skip the below steps. Otherwise, fail the signature validation and exit. |
There was a problem hiding this comment.
Should this be enforceWithFailOpen?
There was a problem hiding this comment.
No, it should be enforceWithFailClose,
enforceWithFailOpen: This means implementation MUST perform validation and if validation fails because the endpoint is not reachable, the implementation MUST throw an error and MUST fail the validation.enforceWithFailClose: This means implementation MUST perform validation and if validation fails because the endpoint is not reachable, the implementation MUST log an error and MUST NOT fail the validation.
There was a problem hiding this comment.
Perhaps I'm misunderstanding, or our usage of the terminology is confusing here. The traditional usage of "fail open" means that you only throw a warning but do not stop workflows from running when the security check is unable to be performed. It sounds like we're saying "fail open" means to fail the validation which would block images from being deployed in the common use case.
There was a problem hiding this comment.
Yep, you are correct our usage of terminology is incorrect. Recently I've been reading a lot about circuit breakers where open state represents failure scenario and close state represents business as usual. Perhaps I got confused and interpolated that with fail open and fail close of networking.
Have fixed it in the latest commit.
|
LGTM! |
- Added detailed steps for signature verification - Added certificate requirements Co-authored-by: Milind Gokarn <[email protected]> Signed-off-by: Pritesh Bandi <[email protected]>
Signed-off-by: Pritesh Bandi <[email protected]>
| If the certificate revocation trust-store setting is set to `skip`, skip the below steps. Otherwise, check for revocation status for certificate and certificate chain. | ||
|
|
||
| 1. If the revocation status of any of the certificates cannot be determined (revocation unavailable) and `signingIdentityRevocation` is set to either `enforceWithFailOpen` or `warn` then log a warning and skip the below steps. Otherwise, fail the signature validation and exit. | ||
| 1. If any of the certificates are revoked and `signingIdentityRevocation` is set to either `enforceWithFailOpen` or `enforceWithFailClose` then fail signature validation and exit else log a warning. |
There was a problem hiding this comment.
Am I reading this as enforceWithFailOpen or enforceWithFailClose have the same result?
There was a problem hiding this comment.
Yep, when the notary can identify the revocation status of a certificate enforceWithFailOpen or enforceWithFailClose will have the same result. The behavior differs when notary is unable to determine certificate revocation status.
| 1. Verify the CRL signature. | ||
| 1. Verify that the CRL is valid (not expired). A CRL is considered expired if the current date is after the `NextUpdate` field in the CRL. | ||
| 1. Look up the certificate’s serial number in the CRL. | ||
| 1. If the certificate’s serial number is listed in the CRL, look for `InvalidityDate`. If the invalidity date is present and timestamp signature is also present then if the invalidity date is before the timestamping date, the certificate is considered revoked. If the invalidity date is not present in CRL, the certificate is considered revoked. |
There was a problem hiding this comment.
Is this accurate, or complete?
If the invalidity date is present and timestamp signature is also present then if the invalidity date is before the timestamping date, the certificate is considered revoked.
Should this be:
If the invalidity date is present and timestamp signature is also present then if the invalidity date is before the current date and before the timestamping date, the certificate is considered revoked.
There was a problem hiding this comment.
I have paraphrased the sentence for better readability.
If CRL has invalidity date and artifact signature is timestamped then compare the invalidity date with the timestamping date. If the invalidity date is before the timestamping date, the certificate is considered revoked.
Basically we are comparing the signature's timestamping date(signing date) with the certificate's effective revocation date.
Signed-off-by: Pritesh Bandi <[email protected]>
Summary
Important call-outs
HackmdDoc: https://hackmd.io/@pritesh/signing-verfication-workflow
Signed-off-by: Pritesh Bandi [email protected]