Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for other public key types for SCT verification, allow override for testing. #1241

Merged
merged 5 commits into from
Dec 22, 2021
Merged

Add support for other public key types for SCT verification, allow override for testing. #1241

merged 5 commits into from
Dec 22, 2021

Conversation

vaikas
Copy link
Contributor

@vaikas vaikas commented Dec 22, 2021

Summary

Fixes #1240

Also when using, say a testing CT log (where I found the above issue), it would be nice to be able to specify a different public key to use for SCT validation, so basically the public key for the CT Log. Other option of course would be to just use the insecure bit, but I reckon this is nicer and allows for more flexibility.
Introduce CT_LOG_PUBLIC_KEY_FILE environmental variable that allows one to override (with nice warnings to boot) where the public key used for validating the SCT.

Ticket Link

Fixes

Release Note

Introduce an env variable `CT_LOG_PUBLIC_KEY_FILE` that allows one to use a different public key for validating SCT from the CT Log.

@vaikas
testing
eb18e5e 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
moar
12db0f7 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Tests
1cfe913 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
fix lint.
bf9db4e 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
dlorenc
dlorenc reviewed Dec 22, 2021
View reviewed changes
cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go Outdated
@@ -37,6 +40,10 @@ import (
// This is the CT log public key target name
var ctPublicKeyStr = `ctfe.pub`

// Setting this env variable will over ride what is used to validate
// the SCT coming back from Fulcio.
const altCTLogPublicKeyLocation = "CT_LOG_PUBLIC_KEY_FILE"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about prefixing this with SIGSTORE_? We have some env vars prefixed with COSIGN_ for cosign-specific things, and thenSIGSTORE_ROOT_FILE and SIGSTORE_NO_CACHE for the TUF root itself.

@vaikas
Prefix env variable with SIGSTORE_
8e411ef 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@dlorenc dlorenc merged commit c360535 into sigstore:main Dec 22, 2021
@github-actions github-actions bot added this to the v1.5.0 milestone Dec 22, 2021
@vaikas vaikas deleted the ct-pub-debug branch December 28, 2021 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

Support other Public keys than ecdsa when verifying SCT
2 participants
@vaikas @dlorenc