minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

Support creating a sigstore bundle from a cosign simplesigning signature made by a key-pair

Open rdimitrov opened this issue 2 years ago • 0 comments

Details:

  • This issue is about supporting an artifact that was signed with cosign using a local key pair.
  • Note that when signing with a key pair there's no longer a certificate in the manifest annotations thus the need for these changes.

Blocking:

  • Working on this depends on having the provider interface implemented.
  • There should be a sigstore provider implementation for key pair signatures where the expected public key can be provided.

Implementation details (sigstore-go):

  • Upon creation of the verifier we need to update the trustedMaterial list passed to verify.NewSignedEntityVerifier so it also includes a TrustedPublicKeyMaterial with that public key alongside the trustedRootJson
  • Upon generating the bundle's verification material, we need to use
&protobundle.VerificationMaterial_PublicKey{
				&protocommon.PublicKeyIdentifier{
					Hint: "keyword-for-your-public-key",
				},
			}

instead of VerificationMaterial_X509CertificateChain

  • Upon verification of that bundle, we don't need verify.WithCertificateIdentity() and NewShortCertificateIdentity respectively. Instead we'll use verify.WithoutIdentitiesUnsafe() (that last is to be verified)

rdimitrov avatar Feb 09 '24 09:02 rdimitrov