Skip to content

Fulcio signing implementation#1785

Merged
vrothberg merged 3 commits intocontainers:mainfrom
mtrmac:fulcio-signing
Jan 12, 2023
Merged

Fulcio signing implementation#1785
vrothberg merged 3 commits intocontainers:mainfrom
mtrmac:fulcio-signing

Conversation

@mtrmac
Copy link
Copy Markdown
Collaborator

@mtrmac mtrmac commented Jan 9, 2023

This adds API to use Fulcio-generated short-lived certificates.

Depends on #1784 .

I still need to test one part but it seems broadly ready.

I don’t feel too confident about the API, but it seems close enough, and we can always add more option functions, or a new signature/sigstore/fulciov2 package (still operating on signature/sigstore/internal.Signer)

@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Jan 9, 2023
vrothberg
vrothberg approved these changes Jan 10, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mtrmac
Copy link
Copy Markdown
Collaborator Author

mtrmac commented Jan 11, 2023

Rebased, ready for review.

@mtrmac mtrmac marked this pull request as ready for review January 11, 2023 10:22
@mtrmac
Copy link
Copy Markdown
Collaborator Author

mtrmac commented Jan 11, 2023

Oops, still one path to try.

@mtrmac mtrmac marked this pull request as draft January 11, 2023 10:23
mtrmac added 3 commits January 11, 2023 11:23
@mtrmac
Move the docker client User-Agent value to a shared subpackage
9352751 
... to be also used by Fulcio.

Note that the atomic: transport uses a skopeo/... user agent,
we don't care to change that.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Add Fulcio with OIDC authentication
35b5b08 
Tested manually with Skopeo.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
FIXME: Add Fulcio with user-provided OIDC token
cd6511f 
This seems, at best, useful for debugging and as an escape hatch
for other missing OIDC operations.

FIXME: test this at least once manually.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Copy Markdown
Collaborator Author

mtrmac commented Jan 11, 2023

I have (manually) tested the “static ID token” path now.

Ready for review and potentially merging now.

@mtrmac mtrmac marked this pull request as ready for review January 11, 2023 19:39
This was referenced Jan 11, 2023
Merged
Open
@mtrmac
Copy link
Copy Markdown
Collaborator Author

mtrmac commented Jan 11, 2023

(Adding unit tests tracked in containers/container-libs#235.)

@TomSweeneyRedHat
Copy link
Copy Markdown
Member

TomSweeneyRedHat commented Jan 11, 2023

LGTM

@mtrmac mtrmac mentioned this pull request Jan 12, 2023
Closed
12 tasks
vrothberg
vrothberg approved these changes Jan 12, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vrothberg vrothberg merged commit 5ef8a4f into containers:main Jan 12, 2023
@mtrmac mtrmac deleted the fulcio-signing branch January 12, 2023 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vrothberg vrothberg vrothberg approved these changes

Assignees

No one assigned

Labels

kind/feature A request for, or a PR adding, new functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtrmac @TomSweeneyRedHat @vrothberg