Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Fulcio intermediate CA certificate to intermediate pool #1774

Merged
merged 1 commit into from
Apr 19, 2022

Conversation

haydentherapper
Copy link
Contributor

This certificate will be necessary for chain building from a leaf
certificate to a root once a new version of Fulcio is rolled out. For
OCI, the chain is stored in an annotation. This intermediate is
currently only needed for verify-blob when looking up the certificate
from Rekor.

For the V3 TUF Root, the intermediate will be bundled, so that it is
easily discoverable and revokable. For now, we'll simply bundle it with
Cosign. Note that intermediates are considered untrusted, so it's fine
if the intermediate is not in TUF currently, as the root that issued the
intermediate certificate is in TUF.

Signed-off-by: Hayden Blauzvern [email protected]

Summary

Ticket Link

Fixes

Release Note


@haydentherapper
Copy link
Contributor Author

Would like to get this in before a 1.8 cut.

This certificate will be necessary for chain building from a leaf
certificate to a root once a new version of Fulcio is rolled out. For
OCI, the chain is stored in an annotation. This intermediate is
currently only needed for verify-blob when looking up the certificate
from Rekor.

For the V3 TUF Root, the intermediate will be bundled, so that it is
easily discoverable and revokable. For now, we'll simply bundle it with
Cosign. Note that intermediates are considered untrusted, so it's fine
if the intermediate is not in TUF currently, as the root that issued the
intermediate certificate is in TUF.

Signed-off-by: Hayden Blauzvern <[email protected]>
@codecov-commenter
Copy link

codecov-commenter commented Apr 18, 2022

Codecov Report

Merging #1774 (bf0738f) into main (f89d691) will decrease coverage by 0.00%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1774      +/-   ##
==========================================
- Coverage   31.47%   31.47%   -0.01%     
==========================================
  Files         144      144              
  Lines        8889     8890       +1     
==========================================
  Hits         2798     2798              
- Misses       5755     5756       +1     
  Partials      336      336              
Impacted Files Coverage Δ
cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go 35.93% <0.00%> (-0.58%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f89d691...bf0738f. Read the comment docs.

@dlorenc
Copy link
Member

dlorenc commented Apr 18, 2022

This will eventually make it into the on disk bundle to avoid needing to fetch from rekor right?

@haydentherapper
Copy link
Contributor Author

The comment I made about Rekor was from how verify-blob supports looking up certificates in Rekor, instead of passing them in (not ideal behavior imo, it puts additional trust in Rekor). If there's work going on to create on disk bundles for blobs, then yes, this would need to be included in the bundle.

@dlorenc
Copy link
Member

dlorenc commented Apr 19, 2022

Cool, ref #1743

@dlorenc dlorenc merged commit 623d50f into sigstore:main Apr 19, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 19, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
…#1774)

This certificate will be necessary for chain building from a leaf
certificate to a root once a new version of Fulcio is rolled out. For
OCI, the chain is stored in an annotation. This intermediate is
currently only needed for verify-blob when looking up the certificate
from Rekor.

For the V3 TUF Root, the intermediate will be bundled, so that it is
easily discoverable and revokable. For now, we'll simply bundle it with
Cosign. Note that intermediates are considered untrusted, so it's fine
if the intermediate is not in TUF currently, as the root that issued the
intermediate certificate is in TUF.

Signed-off-by: Hayden Blauzvern <[email protected]>
@haydentherapper haydentherapper deleted the intermediate branch January 10, 2023 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants