chains
chains copied to clipboard
tektoncd
Verify the SCT coming back from Fulcio.
Feature request
I think we should verify the SCT coming back from Fulcio to ensure we're not being bamboozled by it. So here: https://github.com/tektoncd/chains/blob/main/pkg/chains/signing/x509/x509.go#L83
We call the fulcio.NewSigner, but I think we should consider calling the fulcioverifier version of it here: https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go#L96
Which then in turn additionally verifies the SCT coming back here: https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go#L103
My understanding is that it's not quite as simple as just importing this version due to some conflicting log imports from here: https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go#L29
But, maybe it's just as simple as just swapping? :) Haven't had a chance to verify it yet, just jotting this down.
Use case
It's important to verify that Fulcio actually added the Certificate to a CTLog and SCT is that proof, so it should be verified. Currently we don't (or I totes missed where we dot it).
Thanks for catching this, we definitely should be verifying the SCT!
Unfortunately it looks like just swapping might not work, seems like the dependency you pointed out ("github.com/google/certificate-transparency-go/x509") depends on glog which Chains can't depend on because of the "log_dir redefined flag error" 😞
We could either try to remove the glog dependency from the certificate-transparency-go lib upstream, or try to rewrite the SCT verification in Chains. First option is probably better!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
We do SCT verification in Cosign, and worked around the glog issue by copying in ctutil - https://github.com/sigstore/cosign/blob/7ba521444f9fcfdf2e1e5936c05834597674e6c9/cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go
See https://github.com/sigstore/cosign/blob/30bf1c09c6fde849245648ff294725d86094fe28/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go for the verification. It still pulls from certificate-transparency-go, but avoids pulling in anything with glog.
We mirrored the policy-controller replace in https://github.com/tektoncd/chains/pull/514 so I don't think glog is a blocker anymore.
@haydentherapper Should we just upstream the SCT check to the Fulcio library? sigstore-go also works, but this feels fundamental enough that it might make sense in fulcio proper. 🤔
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/close
Send feedback to tektoncd/plumbing.
@tekton-robot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity. Reopen the issue with
/reopenwith a justification. Mark the issue as fresh with/remove-lifecycle rottenwith a justification. If this issue should be exempted, mark the issue as frozen with/lifecycle frozenwith a justification./close
Send feedback to tektoncd/plumbing.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.