sigstore signing CLI tool
⚠️ Not ready for use yet!
sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the sigstore signing infrastructure
For container signing, you want cosign
⚠️ Not ready for use yet!
sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the sigstore signing infrastructure
For container signing, you want cosign
This moves these packages from sigstore/cosign into sigstore/sigstore.
pkg/fulcioroots
comes from cosign's cmd/cosign/cli/fulcio/[email protected]
, and drops that package's behavior when the SIGSTORE_ROOT_FILE
env var is set -- this will remain in sigstore/cosign
.pkg/tuf
comes from cosign's pkg/cosign/[email protected]
and is otherwise largely unchanged. Some methods were unexported that aren't used outside of this package.Part of https://github.com/sigstore/cosign/issues/1865
pkg/fulcioroots and pkg/tuf are moved from cosign repo
Description
I am opening this to ask if there's a contributor ladder defined for sigstore. How do I become an org member?
I would be happy to help do PR's reviews here, hoping to work towards maintainership.
previous contributions - mainly fuzzing sigstore and integrating with oss-fuzz
https://github.com/sigstore/sigstore/issues?q=is%3Aissue+author%3Anaveensrinivasan
https://github.com/sigstore/cosign/issues?q=is%3Aissue+author%3Anaveensrinivasan+
https://github.com/sigstore/rekor/pulls?q=author%3Anaveensrinivasan
https://github.com/sigstore/rekor/issues?q=author%3Anaveensrinivasan
cc @lukehinds @dlorenc @bobcallaway
enhancementFolks,
There are a bunch of MPL libraries here: https://github.com/sigstore/sigstore/blob/main/go.mod#L58-L75
CNCF only allows a handful of MPL'ed libraries from hashicorp: https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json#L23-L46
the CNCF policy is written down here: https://github.com/cncf/foundation/tree/main/license-exceptions
Question is ... what do we do next?
questionDescription
There's an interesting forgery for ECDSA where it's possible to forge a valid signature over a random value for a fixed public key. To defend against this, it's necessary to first hash a message before signing or verifying it. For ED25519, this is handled via a pre-hash, while for ECDSA, it's standard practice to first hash the message.
However, for the hashedrekord type, it's a requirement that we verify against a digest without hashing again. This is why we support WithDigest
. This makes WithDigest
unsafe. We can help defend against this if there is a check beforehand that the digest look like a digest, so a random value isn't accepted. For example, Rekor checks that the digest matches a SHA256 regex.
This is not a full proof approach, as it is still possible that a random value look like a digest, it's just hard to find such a value for this forgery (I think this is true, but I'd need someone more well-versed in elliptic curve crypto to verify this).
We should add a) warnings in comments about the dangers of verifying with a digest, and b) move the rekor checks into here to enforce that a digest looks like a digest.
enhancementThe goal is it as easy as possible to put the business logic in pkg
, re-use pkg
across project within sigstore
, and allow third parties to build on top of these libraries (e.g. to implement CI plugins)
TODOs:
sigstore
and cosign
Signed-off-by: Jake Sanders [email protected]
Suggestion: Adding interactive flows for each specific identity provider, allowing users to skip the main idp selection page. I think one less click can improve the UX a bit. Further UX improvement is gained when browser uses a default idp account the user does may not need to interactively intervene at all. Such psodo-auto flow may also be valuable in automation uses cases, for example a git hook signing SLSA provenance.
Hope this helps . mikey strauss
Clients who want to enable specific kms implementations can import (or underscore-import) specific KMS impls they want, and otherwise don't have to depend on them.
Specific kms implementations that are needed must be explicitly imported for init-time setup.
This patch removes the requirement of having the environment variables AZURE_TENANT_ID
, AZURE_CLIENT_ID
and AZURE_CLIENT_SECRET
set to use the Azure KMS (KeyVault).
By removing the requirement, we enable usage of MSI (Managed Service Identity) through the NewAuthorizerFromEnvironment()
and we at the same time add support for the NewAuthorizerFromCLI()
.
By splitting the function of calculating what method to use to it's own function , getAuthenticationMethod()
, it's possible to test the logic separately.
We also introduce the new environment variable AZURE_AUTH_METHOD
which if set to environment
will use FromEnvironment()
(may be useful for the MSI case) and if set to cli
will use FromCLI()
.
If nothing is defined, FromEnvironment()
will be tested first and then FromCLI()
. :^)
Fixes #223
Add support for more Azure KMS authentication methods.
Enabling fuzzing for sigstore.
The first steps into fuzzing Sigstore. The goal is to integrate this into oss-fuzz using libfuzzer https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/ and https://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-for.html
Signed-off-by: naveen [email protected]
This is the first step of several to try to have signature library that can be used across all of sigstore's golang projects.
There's an issue with the hashivault provider that I haven't quite been able to pin down yet. I noticed it while testing https://github.com/sigstore/cosign/pull/278, so the bug may not actually be here.
The existing PR works when you sign/verify with the provider API itself, but does not work when you verify against the exported public key. That is:
cosign sign -key hashivault://foo
followed by cosign verify -key hashivault://foo
works
but
cosign sign -key hashivault://foo
followed by cosign public-key -key hashivault://foo > hk.pub && cosign verify -key hk.pub
does not work.
Signed-off-by: Asra Ali [email protected]
I expect that with this method, we can now set sign/verify opts to include RekorPubKeys, so that people can define this themselves when they cosign as a library. This is how the fulcio roots works as well.
Fixes
Merge 'cosign/pkg/providers' into sigstore/sigstore.
This upstream's cosign's provider packages into sigstore/sigstore
so that other tools like gitsign
can use them without needing to depend on cosign. These packages are generic enough that they seem like a good fit here to be shared across sigstore projects.
This was intentionally done as a merge so that commit history is preserved for both the sigstore repo and the commits that are coming from cosign.
That said, we could also do this as a rebase on top of sigstore (would rewrite all commit times for cosign commits) or a single squash commit (all changes attributed to 1 commit). Let me know if you have thoughts on this.
Part of https://github.com/sigstore/gitsign/issues/62
cosign's OAuth provider packages are now available in sigstore/sigstore.
Description
I was looking at the permissions needed by the ClusterImagePolicy -> ConfigMap
reconciler to deal with KMS, and it seems to require cloudkms.cryptoKeys.get
, where I'd expect it to only need cloudkms.cryptoKeyVersions.viewPublicKey
.
I can understand the signing path requiring more capabilities, but for things like the admission controller and cosign verify
flows, it should be doable by folks that only have public key access.
cc @dekkagaijin @imjasonh
bugFollowups from https://github.com/sigstore/sigstore/pull/435
panic
in fulcioroots.Get()
version: 3
in root.json
(https://github.com/sigstore/sigstore/pull/435#discussion_r874926503)/assign @haydentherapper
enhancementDescription
Currently, when you successfully get through an OAuth flow, you're met with this page:
Good stuff:
Bad stuff:
I think we have an opportunity to make this page feel really cohesive with the rest of the Sigstore brand. We shouldn't take this as an opportunity to load the page down with a bunch of CSS/JS/images, but I think there's improvements we could make, like:
After https://github.com/sigstore/sigstore/pull/425 we'll only have one copy of this HTML, here:
https://github.com/sigstore/sigstore/blob/9a39e97a01521211a31ecc8c29ecf4545be3a73f/pkg/oauth/interactive.go#L19-L25
enhancementLoadSignVerifier
. by @mattmoor in https://github.com/sigstore/sigstore/pull/468Full Changelog: https://github.com/sigstore/sigstore/compare/v1.2.0...v1.3.0
Source code(tar.gz)aws-us-gov
arn partitions by @chaospuppy in https://github.com/sigstore/sigstore/pull/289cosign
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/322oidc.IDTokenSource
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/320Full Changelog: https://github.com/sigstore/sigstore/compare/v1.1.0...v1.2.0
Source code(tar.gz)innerWrapper
as VerifierAdapter
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/144VerifierAdapter
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/145Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.1...v1.1.0
Source code(tar.gz)Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.0...v1.0.1
Source code(tar.gz)signature
library by @dekkagaijin in https://github.com/sigstore/sigstore/pull/26crypto.PublicKey
in favor of *ecdsa.PublicKey
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/33signature
package for signing by @dekkagaijin in https://github.com/sigstore/sigstore/pull/38output
to save client cert file locally by @lukehinds in https://github.com/sigstore/sigstore/pull/79cmd/
, clean up unused code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/90pkg/tlog
, run go mod tidy
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/91go mod tidy
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/94pkg/util
directory by @dekkagaijin in https://github.com/sigstore/sigstore/pull/95pkg/cryptoutils
by @dekkagaijin in https://github.com/sigstore/sigstore/pull/99pkg/cryptoutils
tests, add a generator for ECDSA keypairs by @dekkagaijin in https://github.com/sigstore/sigstore/pull/100Full Changelog: https://github.com/sigstore/sigstore/commits/v1.0.0
Source code(tar.gz)protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I
ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g
Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho
Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I
proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in
Prototype for inline signing of images in the image index. When designing Notary v2 there was a strong consensus for having detached signatures. These
gomason Tool for testing, building, signing and publishing binaries. Think of it as an on premesis CI/CD system- that also performs code signing and p
simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b
cosign Container Signing, Verification and Storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. Info Cosign is develop
skopeo skopeo is a command line utility that performs various operations on container images and image repositories. skopeo does not require the user
protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I
Mirkwood Engine ?? A prototype of a virtual tabletop written in Go 1.16 and Ebiten 2 (The gif can seems a bit laggy but the animations are smooth in r
Imperson8 Disclaimer This is a security testing tool. Only use this on systems you have explicit authorization to test. This isn't an exploit and won'
kcp is a minimal Kubernetes API server How minimal exactly? kcp doesn't know about Pods or Nodes, let alone Deployments, Services, LoadBalancers, etc.
ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T
k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us
Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.
ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g
Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho
plution Prototype pollution scanner using headless chrome What this is Plution is a convenient way to scan at scale for pages that are vulnerable to c
Quorum Hashicorp Vault plugin The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine, such as: Create and
ken ⚠️ Disclaimer This package is still in a very early state of development and future updates might include breaking changes to the API until the fi
ETH-XMR Atomic Swaps This is a prototype of ETH<->XMR atomic swaps, which was worked on during ETHLisbon. Instructions Start ganache-cli with determin
XCrafter ?? x-crafter is used to quickly create templates from your prototype, also come with a builder to quickly regenerate your code. Install Using
A prototype code-generator library for golang.
Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I
GoJWT - JSON Web Tokens in Go GoJWT is a simple and lightweight library for creating, formatting, manipulating, signing and validating Json Web Tokens
predict_al Prototype to predict Ethereum transactions' access lists. The project comes from CDAP cohort-one. The current design is to use a simplified
simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b