specifications icon indicating copy to clipboard operation
specifications copied to clipboard
verified publisher icon notaryproject

id-kp-codeSigning EKU restriction for signing certificate.

Open priteshbandi opened this issue 3 years ago • 12 comments

Discuss if we need to enforce id-kp-codeSigning EKU restriction for signing certificate.

Recommend removing this requirement, as not all signed artifacts will be "code".

Originally posted by @briankr-ms in https://github.com/notaryproject/notaryproject/pull/122#discussion_r798210495

priteshbandi avatar Feb 03 '22 23:02 priteshbandi

Currently, this EKU is marked as default as in notation-go-lib.

shizhMSFT avatar Feb 08 '22 02:02 shizhMSFT

id-kp-codeSigning OID is for "signing of downloadable executable code" per RFC5280, we extend this definition to all signable code (contiguous bits) that is executable code or directly impacts executable code (e.g. XML config file is "executable code"). Supply chain metadata claims or additional artifacts that are not executable code must not be signed with certificates that include the id-kp-codeSigning OID.

ianjmcm avatar Feb 15 '22 15:02 ianjmcm

@shizhMSFT we might need to bring this issue up during the call. It hasn't seen much traction.

sajayantony avatar Jun 06 '22 18:06 sajayantony

@FeynmanZhou We missed this today, and need to bring this up in the next meeting.

shizhMSFT avatar Jun 07 '22 01:06 shizhMSFT

/cc @yizha1

shizhMSFT avatar Jun 22 '22 07:06 shizhMSFT

latest spec: https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#certificate-requirements

priteshbandi avatar Jun 22 '22 22:06 priteshbandi

I just checked and see here that notation-go is enforcing a check for the signing bit set.

When I try to go through our tutorial and create a certificate without any EKU set, then I get the error message from there:

notation sign --key $KEY_NAME $IMAGE
2022/06/24 11:54:11 signing certificate in generateSignature response.CertificateChain does not meet the minimum requirements: extKeyUsage must contain 3

IMO - We should remove this requirement per @ianjmcm comment above.

dtzar avatar Jun 24 '22 19:06 dtzar

One valid comment which came up during the community call yesterday... is if someone wanted to use notation to sign documents, there is another valid EKU for document signing.

dtzar avatar Jul 06 '22 17:07 dtzar

Per the discussion on the last call, I believe we came to a consensus that if PR #167 would be implemented, then we could close this out. Then we'd need to fix any place(s) in the code where we enforce the MUST have code signing EKU...

dtzar avatar Jul 11 '22 18:07 dtzar

@dtzar - This is a duplicate of #157 . We can close one of them. We need to close out bout #166 and #167 to close both #157 and this one #130

iamsamirzon avatar Jul 13 '22 20:07 iamsamirzon

157 is a superset including 130. It seems that everything minus 130 has been resolved in 157. I would propose to close 157 and keep this one open.

dtzar avatar Jul 13 '22 20:07 dtzar

Once we merge 167 we can close this.

dtzar avatar Jul 22 '22 16:07 dtzar

PR: https://github.com/notaryproject/notation-core-go/pull/86

priteshbandi avatar Oct 05 '22 07:10 priteshbandi