Hayden B
Hayden B
I believe this is now fixed, please reopen if not
Yea, I'd be fine with adding that into a fulcio package!
Older version, closing ticket
@bobcallaway What is the status of the PR? Looks like most tests are passing
+1, not checking identity is equivalent to being handed a verification key alongside the signature without checking the verification key belongs to an entity you trust. I think it's fine...
Hey @ilia-medvedev-codefresh, thanks so much for contributing the provider! Overall this looks good, I'll add a few folks who worked on the previous OIDC/CI integrations to review the claim mappings.
@ilia-medvedev-codefresh just needs a lint fix, then I'll merge, cut a release, and work on getting this out. I'll ping the thread once we have this in our staging environment...
See https://github.com/sigstore/rekor/blob/924fb3a0a64c8785d5ce8cd908c4299126582133/pkg/types/error.go#L18 as an approach
Adding onto https://github.com/sigstore/fulcio/issues/250#issuecomment-1676421642, the requirements for inclusion into a trust root are not feasible for an open source project. For example, [Microsoft's requirements](https://learn.microsoft.com/en-us/security/trusted-root/program-requirements) include a yearly audit, which would be...
Fantastic! Next step would be to update the OID doc to map claims in the CircleCI identity token to the extensions in Fulcio certs.