Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Fulcio intermediate CA certificate to intermediate pool #1774

Merged
merged 1 commit into from
Apr 19, 2022
Merged

Add Fulcio intermediate CA certificate to intermediate pool #1774

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,23 @@ var fulcioTargetStr = `fulcio.crt.pem`
// This is the v1 migrated root.
var fulcioV1TargetStr = `fulcio_v1.crt.pem`

// The untrusted intermediate CA certificate, used for chain building
// TODO: Remove once this is bundled in TUF metadata.
var fulcioIntermediateV1 = `-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----`

const (
altRoot = "SIGSTORE_ROOT_FILE"
)
Expand Down Expand Up @@ -116,6 +133,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
}
}
}
intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
}
return rootPool, intermediatePool, nil
}
3 changes: 1 addition & 2 deletions cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,7 @@ func TestGetFulcioRoots(t *testing.T) {
if _, err := tmpCertFile.Write(chain); err != nil {
t.Fatalf("failed to write cert file: %v", err)
}
os.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
defer os.Unsetenv("SIGSTORE_ROOT_FILE")
t.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())

rootCertPool := Get()
// ignore deprecation error because certificates do not contain from SystemCertPool
Expand Down