fulcio
fulcio copied to clipboard
Update Buildkite issuer to include some of the new certificate extensions
Summary
The Buildkite Issuer was added in #890, prior to the efforts to standardise certificate extensions for CI providers, and #1074 calls for the Buildkite issuer to be updated to use the new extensions (where applicable).
This is an early attempt to make those changes.
I've added the extensions that make the most sense in a Buildkite context, like RunInvocationURI, RunnerEnvironment and SourceRepositoryDiget. Many of the other extensions don't apply because we're not a code host as well, or need further discussion.
I have not added tests yet. This is my first contribution to fulcio and I'm keen to confirm I'm heading in the right direction before adding tests. However, I have tested this locally with a Buildkite agent and OIDC token, and the certificate was issued as expected.
Using git cat-file commit HEAD
and piping it through openssl pkcs7 -print -print_certs -text
, the extensions section looks like this:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Subject Key Identifier:
19:9E:E7:53:4D:F6:65:D4:23:9D:60:21:B8:F3:12:80:FD:11:30:7F
X509v3 Authority Key Identifier:
8A:3E:9E:34:19:F7:32:18:3D:2A:1B:F9:5F:60:29:24:0F:70:0B:B4
X509v3 Subject Alternative Name: critical
URI:https://buildkite.com/yob-opensource/oidc-signing-experiment
1.3.6.1.4.1.57264.1.1:
https://agent.buildkite.com
1.3.6.1.4.1.57264.1.8:
..https://agent.buildkite.com
1.3.6.1.4.1.57264.1.11:
..self-hosted
1.3.6.1.4.1.57264.1.13:
.(5242de9e5c2ca164cb3dfc500fb605f0b8b86763
1.3.6.1.4.1.57264.1.21:
.mhttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/35%230189cb29-62fa-41af-8641-62e1d6c5edfd
Fixes #1074
/cc @sj26
Release Note
NONE
Documentation
Uncertain
cc @feelepxyz @marshall007 @wlynch for more thoughts
Thank you for starting this!
Hey all, just wanted to check in, has there been any progress on this?