-
Notifications
You must be signed in to change notification settings - Fork 548
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adds tsa cert chain check for env var or tuf targets. #3600
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good to me, though I'm not a TSA or TUF expert.
It looks like the merge commit accidentally pulled in an unused import so this doesn't build.
This will need some tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, sorry for the delay. Just a couple comments.
+1 to tests.
thanks for the feedback/comments, will try to implement in the next few weeks. |
i've added some of the feedback, just working on tests and returning |
@ianhundere Can you tell me the approximate time of making all the improvements? |
@Meeki1l if not today, by weds. |
@haydentherapper / @cmurphy okay, i think that about does it. |
Thanks @ianhundere! Will take a closer look tomorrow. Can you take a look at failing tests? |
@haydentherapper no problem, thanks for the quick 👀 / feedback. 🙇 this commit fixes the failing units tests / lint errors:
|
ah, had a couple more issues:
now running |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3600 +/- ##
==========================================
+ Coverage 40.10% 40.70% +0.60%
==========================================
Files 155 159 +4
Lines 10044 10225 +181
==========================================
+ Hits 4028 4162 +134
- Misses 5530 5558 +28
- Partials 486 505 +19 ☔ View full report in Codecov by Sentry. |
@haydentherapper no rush, but i think we're good / just need to run the pipeline tests once more for ✅. |
Not sure why the tests are stuck, but might want to try to rebase off HEAD. |
i think the runners ran outta space: https://github.com/sigstore/cosign/actions/runs/9415519250/attempts/2 i went ahead and squashed the last commit / force pushed after rebasing again. |
GitHub Actions outage - https://www.githubstatus.com/incidents/lfrlwdg67fn8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
np, just a heads up that i noticed e2e tests are failing. lemme know if that's something i can fix or not. |
Yea, this doesn't look like a flake, I see an error printed around TSA verification - https://github.com/sigstore/cosign/actions/runs/9473354802/job/26102612458?pr=3600 |
ah, i never synced my fork when i rebased / oops.
|
this one is failing due to some infra/network issues:
|
One last thing, need to run |
done / done 🙂 |
@haydentherapper thanks for the 👀 / lemme know if that satisfies everything. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few more places to update! Sorry for all the duplication across verify_* functions
ah, i'll get those / thanks again. edit: @haydentherapper all done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for all of your work on this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error handling lgtm now 👍
@cpanato would you be able to take a look at the test failures? I’m uncertain why they’re failing |
I will take a look; just bear with me :) i am traveling back home today |
looks like @bobcallaway merged a fix / updated metallb as per the sigstore slack (#general): |
Can you rebase? |
sorry for the delay, a rebase might fix |
Signed-off-by: ianhundere <[email protected]>
…ogic. Signed-off-by: ianhundere <[email protected]>
@haydentherapper done/done 🙂 |
closes #3563
Summary
Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.
Currently, the TSA cert chain is required via Cosign's cli flag, though, as per #3563, Cosign can support reading the cert chain from either an environment variable or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.
huge thanks to @aalsabag for helping w/ unit tests.
Release Note
SIGSTORE_TSA_CERTIFICATE_FILE
, and TUF targets