Add support for signature filtering. #131
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Pritesh Bandi <[email protected]>
priteshbandi
changed the title
Signed-off-by: Pritesh Bandi <[email protected]>
|
LGTM! |
gokarnm
approved these changes
Feb 5, 2022
shizhMSFT
approved these changes
Feb 7, 2022
| @@ -20,7 +20,8 @@ The signature manifest has an artifact type which specifies it's a Notary V2 sig | |||
| - **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor](https://github.com/oras-project/artifacts-spec/blob/main/descriptor.md) referencing signature envelope. | |||
| - **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. The supported value is `application/jose+json` | |||
| - **`subject`** (*descriptor*): A REQUIRED artifact descriptor referencing the signed manifest, including, but not limited to image manifest, image index, oras-artifact manifest. | |||
| - **`annotations`** (*string-string map*): This OPTIONAL property contains arbitrary metadata for the artifact manifest. It can be used to store information about the signature. | |||
| - **`annotations`** (*string-string map*): This REQUIRED property contains metadata for the artifact manifest. It is being used to store information about the signature. Keys using the `org.cncf.notary` namespace are reserved for use in Notary and MUST NOT be used by other specifications. | |||
| - **`org.cncf.notary.x509certs.fingerprint.sha256`**: A REQUIRED annotation whose value contains the list of SHA-256 fingerprint of signing certificate and certificate chain used for signature generation. The list of fingerprints is present as a JSON array string. | |||
There was a problem hiding this comment.
nit: On the naming of fingerprint and thumbprint, which one is more popular or consistent?
| @@ -20,7 +20,8 @@ The signature manifest has an artifact type which specifies it's a Notary V2 sig | |||
| - **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor](https://github.com/oras-project/artifacts-spec/blob/main/descriptor.md) referencing signature envelope. | |||
| - **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. The supported value is `application/jose+json` | |||
| - **`subject`** (*descriptor*): A REQUIRED artifact descriptor referencing the signed manifest, including, but not limited to image manifest, image index, oras-artifact manifest. | |||
| - **`annotations`** (*string-string map*): This OPTIONAL property contains arbitrary metadata for the artifact manifest. It can be used to store information about the signature. | |||
| - **`annotations`** (*string-string map*): This REQUIRED property contains metadata for the artifact manifest. It is being used to store information about the signature. Keys using the `org.cncf.notary` namespace are reserved for use in Notary and MUST NOT be used by other specifications. | |||
| - **`org.cncf.notary.x509certs.fingerprint.sha256`**: A REQUIRED annotation whose value contains the list of SHA-256 fingerprint of signing certificate and certificate chain used for signature generation. The list of fingerprints is present as a JSON array string. | |||
There was a problem hiding this comment.
nit: You may also want to note that the fingerprint is in HEX format.
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why we need this change
An OCI artifact can have multiple signatures associated with it. To efficiently perform the signature verification we need a mechanism to filter out the signatures based on the user trust criteria. Otherwise, we will have to download and evaluate all the associated signatures(until a match is found). Also, there is no upper bound on the number of signatures that can be associated with an artifact, this poses an availability risk as signature evaluation as signature verification workflow might timeout(if configured) or run for a long time.
Supported filtering criteria
Filter based on SHA256 of signing certificate and certificate chain.
Mechanism/Design
To filter out signatures based on the aforementioned trust criteria, we need to surface this trust criteria information in the signature artifact manifest. The only entry in the signature artifact manifest that allows arbitrary data is annotations, so we are using annotations to surface certificate(s) identifier i.e. SHA-256 fingerprints of certificate and certificate chain.
Signed-off-by: Pritesh Bandi [email protected]