sigstore
Adding Gitpod IDp
Closes #1176
Summary
This MR adds Gitpod as a trusted identity provider using the email type to SaaS Fulcio. Gitpod is an remote IDE service aimed at providing workspace IDEs to users with all of the dependencies installed in seconds. Gitpod have been looking at Fulcio and gitsign as a means to achieve GPG signing for all commits made by users within a gitpod workspace. Adding Gitpod to SaaS Fulcio would allow them to pass through JWT tokens that identify a user, and get back a certificate automatically, without the user needing to do any additional authorisation.
Release Note
Documentation
You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.
to answer @haydentherapper question in the original thread, I'll attempt to highlight the gitpod IDP based on the criteria outlined in #397
Integrating with Dex - Not really suitably. Gitpod itself federates to other IDPs so adding it to Dex achieves nothing. It also doesn't support that kind of federation
Adding the IDP directly to Fulcio's OIDC issuer config list - The better option. This would allow Gitpod to pass fulcio a JWT it has generated and for fulcio to return a valid signing certificate
Key rotation policy - the Gitpod JWT tokens are short lived
Signing key storage policy - Gitpod doesn't store these tokens, they are generated automatically on request
Uptime requirements - Gitpod has a high resiliency, though I don't have exact figures on its downtime
A hosted .well-known/openid-configuration (which should be a given for OIDC, but it's worth having this explicitly checked as part of onboarding a new IDP) https://api.gitpod.io/idp/.well-known/openid-configuration
Minimum set of supported claims (issuer, subject, audience, issued at, expiration). I propose that we don't enforce that all tokens have precise claim name (iss, sub, aud, for some examples), but that these values are represented in some claim on the token. For example, the subject could be in sub or email or maybe some other claim. - Gitpod have just added
email_verifiedto there token in addition to the claims outlined in #1176An OIDC provider must challenge the email address Gitpod federates to other IDPs
A configurable audience (aud) for the token, setting the audience to sigstore The audience is configurable, and the plan is to generate tokens with the sigstore aud for use with Fulcio
You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.
Can do. Where can I find the federation file? I'll pass it along to them.
https://github.com/sigstore/fulcio/tree/main/federation
thanks for the responses, I’ll follow up with any questions shortly
@ChevronTango Can you also update https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml?
Would you be able to test this out too? Run docker-compose build; docker-compose up, or if you don't have docker-compose, go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/config.jsn
Edit https://github.com/sigstore/fulcio/blob/main/examples/request-certificate/main.go (sorry for the list of steps, this is probably simplest):
-
fulcioUrltolocalhost:5554 - Change
80to5554on line 88 - Remove lines 48-51
- Change
tok.Subjectto the email from GitPod - Change
tok.RawStringto the ID token from GitPod
Run go run examples/request-certificate/main.go and check a certificate is issued.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 56.02%. Comparing base (
cf238ac) to head (59cf06b). Report is 49 commits behind head on main.
:exclamation: Current head 59cf06b differs from pull request most recent head b295a67. Consider uploading reports for the commit b295a67 to get more accurate results
Additional details and impacted files
@@ Coverage Diff @@
## main #1177 +/- ##
==========================================
- Coverage 57.93% 56.02% -1.91%
==========================================
Files 50 50
Lines 3119 2904 -215
==========================================
- Hits 1807 1627 -180
+ Misses 1154 1133 -21
+ Partials 158 144 -14
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@loujaybee are you able to provide a contact email for gitpod support?
Will [email protected] suffice?
https://www.gitpod.io/support
Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using https://github.com/sigstore/fulcio/pull/1177#issuecomment-1556434098?
Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using #1177 (comment)?
Hi Hayden. Just ran the tests and it looks like Gitpod have a couple more things they need to do on their side. I suggest we hold fire for now and I'll post back here once I have a successful test.
whilst waiting on Gitpod to action things on their side, I did have a question about the script you meantioned in https://github.com/sigstore/fulcio/pull/1177#issuecomment-1556434098
When I ran it after following your instructions, I got:
$ go run examples/request-certificate/main.go
2023/05/23 22:49:29 rpc error: code = Internal desc = Error entering certificate in CTL
exit status 1
with the following from the docker stack:
fulcio-ct_server-1 | W0523 22:49:29.552818 1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1 | 2023-05-23T22:49:29.553Z ERROR server/error.go:45 returning with error {"requestID": "Slfmo6ng", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}
just wanted to clarify if there was any settings in docker or go that were missing that would resolve this. Thankfully these don't look like errors relating to the JWT auth, but it would still be nice for your script to pass cleanly.
docker-compose should spin up the transparency log too. There should be some error message from Trillian about why the certificate couldnt be entered in the log.
Otherwise, you can run the go run command with --ct-log-url="" which should prevent certs from being added to the local log.
Nothing from Trillian. Nothing is logged after the initial startup. the only logs are the ones I posted:
fulcio-ct_server-1 | W0523 23:16:23.228738 1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1 | 2023-05-23T23:16:23.228Z ERROR server/error.go:45 returning with error {"requestID": "rcBeWTJI", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}
fulcio-fulcio-server-1 | github.com/sigstore/fulcio/pkg/server.handleFulcioGRPCError
fulcio-fulcio-server-1 | /opt/app-root/src/pkg/server/error.go:45
fulcio-fulcio-server-1 | github.com/sigstore/fulcio/pkg/server.(*grpcCAServer).CreateSigningCertificate
fulcio-fulcio-server-1 | /opt/app-root/src/pkg/server/grpc_server.go:199
fulcio-fulcio-server-1 | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler.func1
fulcio-fulcio-server-1 | /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:147
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/server_metrics.go:108
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1 | github.com/sigstore/fulcio/cmd/app.PassFulcioConfigThruContext.func1
fulcio-fulcio-server-1 | /opt/app-root/src/cmd/app/grpc.go:64
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware/logging/zap.UnaryServerInterceptor.func1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/logging/zap/server_interceptors.go:31
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1 | github.com/goadesign/goa/grpc/middleware.UnaryRequestID.func1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/goadesign/[email protected]+incompatible/grpc/middleware/requestid.go:34
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/recovery/interceptors.go:33
fulcio-fulcio-server-1 | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:53
fulcio-fulcio-server-1 | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler
fulcio-fulcio-server-1 | /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:149
fulcio-fulcio-server-1 | google.golang.org/grpc.(*Server).processUnaryRPC
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:1337
fulcio-fulcio-server-1 | google.golang.org/grpc.(*Server).handleStream
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:1714
fulcio-fulcio-server-1 | google.golang.org/grpc.(*Server).serveStreams.func1.1
fulcio-fulcio-server-1 | /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:959
fulcio-fulcio-server-1 | 2023-05-23T23:16:23.228Z DEBUG log/log.go:106 finished unary call with code Internal {"grpc.start_time": "2023-05-23T23:16:23Z", "system": "grpc", "span.kind": "server", "grpc.service": "dev.sigstore.fulcio.v2.CA", "grpc.method": "CreateSigningCertificate", "error": "rpc error: code = Internal desc = Error entering certificate in CTL", "grpc.code": "Internal", "requestID": "rcBeWTJI", "grpc.time_ms": 2.567}
Could be that the log failed to start up, sometimes it’s a little finicky. The easiest solution is with go run if docker compose isn’t working.
Gitpod have updated their docs now that they are providing tokens of the correct format: https://www.gitpod.io/docs/configure/workspaces/oidc
Not every token that you can create for Gitpod will be valid from the looks of it:
Important:
email_verifiedis only true if you are signed in to Gitpod via an SSO provider. If you’re only signed in with an SCM authentication provider, this field will be false.
I'll update the code I submitted in https://github.com/sigstore/cosign/pull/2998 originally to include logic to make sure only valid tokens are submitted automatically.