Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds tsa cert chain check for env var or tuf targets. #3600

Merged
merged 2 commits into from
Jun 19, 2024
Merged

adds tsa cert chain check for env var or tuf targets. #3600

merged 2 commits into from
Jun 19, 2024

Conversation

ianhundere
Copy link
Contributor

@ianhundere ianhundere commented Mar 15, 2024

closes #3563

Summary

Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.

Currently, the TSA cert chain is required via Cosign's cli flag, though, as per #3563, Cosign can support reading the cert chain from either an environment variable or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.

huge thanks to @aalsabag for helping w/ unit tests.

Release Note

  • Checks for TSA cert-chain in environment variable, SIGSTORE_TSA_CERTIFICATE_FILE, and TUF targets

@ianhundere ianhundere marked this pull request as draft March 15, 2024 17:57
@ianhundere ianhundere marked this pull request as ready for review March 18, 2024 13:28
Copy link
Contributor

@cmurphy cmurphy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty good to me, though I'm not a TSA or TUF expert.

It looks like the merge commit accidentally pulled in an unused import so this doesn't build.

This will need some tests.

pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, sorry for the delay. Just a couple comments.

+1 to tests.

pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
@ianhundere
Copy link
Contributor Author

ianhundere commented May 6, 2024

thanks for the feedback/comments, will try to implement in the next few weeks.

@ianhundere
Copy link
Contributor Author

ianhundere commented May 31, 2024

i've added some of the feedback, just working on tests and returning x509.Certificate structs instead of byte arrays to cut down on repetition in the verify files since i can handle unmarshalling via SplitPEMCertificateChain in tsalog.go; @haydentherapper thanks for the heads up on that.

@Meeki1l
Copy link
Contributor

Meeki1l commented Jun 3, 2024

@ianhundere Can you tell me the approximate time of making all the improvements?

@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 3, 2024

@Meeki1l if not today, by weds.

@ianhundere
Copy link
Contributor Author

@haydentherapper / @cmurphy okay, i think that about does it.

@haydentherapper
Copy link
Contributor

Thanks @ianhundere! Will take a closer look tomorrow. Can you take a look at failing tests?

@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 4, 2024

Thanks @ianhundere! Will take a closer look tomorrow. Can you take a look at failing tests?

@haydentherapper no problem, thanks for the quick 👀 / feedback. 🙇

this commit fixes the failing units tests / lint errors:

  • golangci-lint errors
  • TestGetTSACertsFromTUF test

@ianhundere
Copy link
Contributor Author

ah, had a couple more issues:

  • fixed last lint issue
  • copied splitPEMCertificateChain from internal/pkg/cosign/tsa/utils.go to avoid import cycle.

now running go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) works other than the current work around, GODEBUG: x509sha1=1, for the failing tests.

Copy link

codecov bot commented Jun 5, 2024

Codecov Report

Attention: Patch coverage is 26.92308% with 95 lines in your changes missing coverage. Please review.

Project coverage is 40.70%. Comparing base (2ef6022) to head (3fee9d8).
Report is 131 commits behind head on main.

Files Patch % Lines
pkg/cosign/tsa.go 37.50% 39 Missing and 6 partials ⚠️
cmd/cosign/cli/verify/verify.go 0.00% 15 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go 0.00% 15 Missing ⚠️
cmd/cosign/cli/verify/verify_blob.go 47.05% 6 Missing and 3 partials ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 0.00% 6 Missing and 2 partials ⚠️
cmd/cosign/cli/options/verify.go 0.00% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3600      +/-   ##
==========================================
+ Coverage   40.10%   40.70%   +0.60%     
==========================================
  Files         155      159       +4     
  Lines       10044    10225     +181     
==========================================
+ Hits         4028     4162     +134     
- Misses       5530     5558      +28     
- Partials      486      505      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
pkg/cosign/env/env.go Outdated Show resolved Hide resolved
pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
pkg/cosign/tsalog.go Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
pkg/cosign/tsa.go Outdated Show resolved Hide resolved
@ianhundere
Copy link
Contributor Author

@haydentherapper no rush, but i think we're good / just need to run the pipeline tests once more for ✅.

cmd/cosign/cli/verify/verify.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
@haydentherapper
Copy link
Contributor

Not sure why the tests are stuck, but might want to try to rebase off HEAD.

@ianhundere
Copy link
Contributor Author

Not sure why the tests are stuck, but might want to try to rebase off HEAD.

i think the runners ran outta space: https://github.com/sigstore/cosign/actions/runs/9415519250/attempts/2

i went ahead and squashed the last commit / force pushed after rebasing again.

@haydentherapper
Copy link
Contributor

GitHub Actions outage - https://www.githubstatus.com/incidents/lfrlwdg67fn8

pkg/cosign/tsa.go Outdated Show resolved Hide resolved
@ianhundere ianhundere requested a review from cmurphy June 11, 2024 21:55
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@ianhundere
Copy link
Contributor Author

Thank you!

np, just a heads up that i noticed e2e tests are failing. lemme know if that's something i can fix or not.

@haydentherapper
Copy link
Contributor

Yea, this doesn't look like a flake, I see an error printed around TSA verification - https://github.com/sigstore/cosign/actions/runs/9473354802/job/26102612458?pr=3600

@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 12, 2024

Yea, this doesn't look like a flake, I see an error printed around TSA verification - https://github.com/sigstore/cosign/actions/runs/9473354802/job/26102612458?pr=3600

ah, i never synced my fork when i rebased / oops.

go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) via ./ is working again. 🎉

@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 12, 2024

this one is failing due to some infra/network issues:

Error from server (parsing address pool config: invalid CIDR "fc00:f853:ccd:e793::/64.255.1-fc00:f853:ccd:e793::/64.255.250" in pool "config": invalid IP range "fc00:f853:ccd:e793::/64.255.1-fc00:f853:ccd:e793::/64.255.250": invalid start IP "fc00:f853:ccd:e793::/64.255.1"): error when creating "./metallb-crds.yaml": admission webhook "ipaddresspoolvalidationwebhook.metallb.io" denied the request

@haydentherapper
Copy link
Contributor

One last thing, need to run make docgen

@ianhundere
Copy link
Contributor Author

One last thing, need to run make docgen

done / done 🙂

cmd/cosign/cli/verify/verify_attestation.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
@ianhundere
Copy link
Contributor Author

@haydentherapper thanks for the 👀 / lemme know if that satisfies everything.

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few more places to update! Sorry for all the duplication across verify_* functions

cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob_attestation.go Outdated Show resolved Hide resolved
cmd/cosign/cli/verify/verify_attestation.go Outdated Show resolved Hide resolved
@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 12, 2024

Just a few more places to update! Sorry for all the duplication across verify_* functions

ah, i'll get those / thanks again.

edit: @haydentherapper all done

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for all of your work on this!

Copy link
Contributor

@cmurphy cmurphy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error handling lgtm now 👍

@haydentherapper
Copy link
Contributor

@cpanato would you be able to take a look at the test failures? I’m uncertain why they’re failing

@cpanato
Copy link
Member

cpanato commented Jun 13, 2024

@cpanato, can you take a look at the test failures? I’m uncertain why they’re failing.

I will take a look; just bear with me :) i am traveling back home today

@ianhundere
Copy link
Contributor Author

ianhundere commented Jun 14, 2024

@cpanato would you be able to take a look at the test failures? I’m uncertain why they’re failing

looks like @bobcallaway merged a fix / updated metallb as per the sigstore slack (#general):

@haydentherapper
Copy link
Contributor

Can you rebase?

@cpanato
Copy link
Member

cpanato commented Jun 18, 2024

sorry for the delay, a rebase might fix

@ianhundere
Copy link
Contributor Author

@haydentherapper done/done 🙂

@cpanato cpanato merged commit 2b538f8 into sigstore:main Jun 19, 2024
21 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fetch TSA certificates from TUF targets when available
5 participants