sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

sigstore, test: add CircleCI credential detection

Open woodruffw opened this issue 3 years ago • 6 comments

See #31.

Signed-off-by: William Woodruff [email protected]

woodruffw avatar May 06 '22 16:05 woodruffw

Yep, correct. It looks like CircleCI uses a similar permission style as GitHub, but skips the indirection of a request.

Sent from mobile. Please excuse my brevity.

On May 6, 2022, at 12:28 PM, Dustin Ingram @.***> wrote:

 @di commented on this pull request.

In sigstore/_internal/oidc/ambient.py:

+def detect_circleci() -> Optional[str]:

  • logger.debug("CircleCI: looking for OIDC credentials")
  • if not os.getenv("CIRCLECI"):
  •    logger.debug("CircleCI: environment doesn't look right; giving up")

  •    return None
  • token = os.getenv("CIRCLE_OIDC_TOKEN")
  • if not token:
  •    raise AmbientCredentialError(

  •        "CircleCI: missing or insufficient OIDC token permissions"

  •    )
  • return token This is the actual identity token? We don't need to make additional requests here?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were assigned.

woodruffw avatar May 06 '22 16:05 woodruffw

Sounds good!

woodruffw avatar May 06 '22 19:05 woodruffw

This seems like a dealbreaker. From https://circleci.com/docs/2.0/openid-connect-tokens/#format-of-the-openid-connect-id-token

aud: The audience. Currently, this is a fixed value "<organization-id>", a string containing a UUID that identifies the job’s project’s organization.

di avatar May 09 '22 19:05 di

Marking this as blocked on https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens, please upvote that feature request if you need this feature.

di avatar May 09 '22 20:05 di

Oh well; that's too bad. At least the changeset here is pretty small, so we'll be able to move this along rapidly once that gets unblocked.

woodruffw avatar May 09 '22 21:05 woodruffw

When we're ready to merge this, we should go to https://app.circleci.com/settings/project/github/sigstore/sigstore-python/advanced and re-enable "GitHub Status Updates" before rebasing.

di avatar May 10 '22 21:05 di

Given the slow movement here, dropping this out of the 1.0 milestone.

di avatar Jan 04 '23 22:01 di

CircleCI has just added customizable audience claims in OIDC tokens =)

https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management

jerdog avatar Jun 06 '23 16:06 jerdog

@jerdog fantastic, thanks for letting us know!

This PR is pretty stale at this point, but I'll see about refreshing it.

woodruffw avatar Jun 06 '23 16:06 woodruffw

NB: This will require upstream changes to id, since we've moved all ambient credential detection logic there.

woodruffw avatar Jun 06 '23 16:06 woodruffw

Upstream tracking: https://github.com/di/id/issues/61

woodruffw avatar Jun 06 '23 17:06 woodruffw

This has been done upstream. The only remaining item for CircleCI support in sigstore-python is to update our dependency on id, which is currently in the works.

woodruffw avatar Dec 12 '23 18:12 woodruffw