Certificate identity for GitHub Actions reusable workflow keyless signing #2936
Replies: 1 comment 12 replies
-
You're correct that the subject of the certificate will be the same, as it's derived from the reusable workflow reference, but there are other claims in the certificate’s extensions that allow you to differentiate between workflows. See https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md for more information. The OID for workflow is Build Config URI, https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#13614157264118--build-config-uri, whereas reusable workflow is Build Signer URI (and the Subject Alt Name), https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726419--build-signer-uri. Note that these are newer OIDs that are standardized across CI platforms, and are actively being implemented for GitLab and Buildkite too. There are older OIDs we've marked as deprecated that will be present in previously issued certificates that represent workflow just for GitHub Actions, https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726414--github-workflow-name-deprecated. |
Beta Was this translation helpful? Give feedback.
-
When I call this from
workflow B
the certificate identity is going to be the workflow ref forworkflow A
.It doesn't sound like a huge deal, but imagine that reusable workflow is from a third-party: the certificate identity becomes a reference to a third-party workflow instead of my release workflow (
workflow B
).From a consumer perspective, it's weird the very least.
I'm somewhat convinced this isn't cosign's "fault" as it probably just uses the identity coming from the ID token.
I'd be interested to know if others find this a problem as well or not. If not, why not?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions