opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Add built-in function support to verify PGP signatures

Open platten opened this issue 4 years ago • 4 comments

We have a use case for verifying annotations containing GPG signatures for Kubernetes manifests. It would be great to have a built-in function in rego which would support that!

platten avatar Nov 01 '19 16:11 platten

One thing worth mentioning is that users can easily extend OPA with custom built-in functions: https://www.openpolicyagent.org/docs/edge/extensions/#custom-built-in-functions-in-go

Since we try to avoid pulling thirdparty dependencies into OPA and this would likely require golang.org/x/crypto (which we do not currently vendor) I'd recommend checking out the method above. OPA builds easily and the extension process is quite lightweight--so check it out.

That said golang.org/x/crypto exports a lot of useful functions and I could imagine many users wanting those inside Rego. @patrick-east @koponen-styra do either of you have any opinions here? I'm assuming that as long OPA relies on stable exported APIs from golang.org/x/crypto this might not be a problem?

tsandall avatar Nov 22 '19 23:11 tsandall

Having golang.org/x/crypto as a dependency sounds useful, indeed. I'm my limited experience with the library its exported APIs have been stable.

koponen-styra avatar Apr 13 '20 17:04 koponen-styra

+1 for golang.org/x/crypto being pretty safe as a dependency

patrick-east avatar Apr 13 '20 17:04 patrick-east

@platten would you be able to provide an example of how you plan to use the proposed builtin? I would imagine the builtin takes the public key, signed file and signature file content.

ashutosh-narkar avatar Aug 09 '22 23:08 ashutosh-narkar

Hey @ashutosh-narkar! I know this thread is a bit old, but I wanted to add some interest for a GPG decryption function. GPG is often utilized to sign images and is natively used by container runtimes (like CRI-O) to verify if images can be deployed to an environment. Since a great use case of OPA is in Kubernetes, a built-in GPG decryption function would allow for shift-left verification of an image's GPG signature validity prior to deployment using OPA.

I think a GPG decryption function that takes GPG encrypted data and a public key as an input, and outputs the decrypted data would be a great addition to OPA's built-in function library.

eshaanm25 avatar Feb 22 '23 07:02 eshaanm25

@eshaanm25 that sounds like a useful builtin. Would you like to contribute? We are happy to help you through the process.

ashutosh-narkar avatar Feb 22 '23 08:02 ashutosh-narkar

I'd love to! Would you happen to have some resources or initial guidance for contributing? I'll take a look at the repository tonight and also attend the next open-hours session as well 😄

EDIT: Taking a look at the built-ins, I see topdown/crypto.go as the home for many of the crypto functions. I think GPG functions would be an addition to this collection, what do you think?

eshaanm25 avatar Feb 22 '23 18:02 eshaanm25

I think GPG functions would be an addition to this collection, what do you think?

That looks right. You can find an example of adding a builtin here and also checkout the code for the recently added builtins for more examples. General code contribution guidelines can be found here. Thanks for looking into this!

ashutosh-narkar avatar Feb 23 '23 23:02 ashutosh-narkar

Closing for now. We can re-open based on future need and demand.

ashutosh-narkar avatar Sep 05 '23 22:09 ashutosh-narkar

Hi @ashutosh-narkar , I can pick this one if this is needed.

yogisinha avatar Dec 20 '23 19:12 yogisinha