-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discourage (disallow?) naked cosign verify
invocations
#2056
Comments
+100000 to this. A couple thoughts:
Let's get the ball rolling and require I'd also like a blog post or documentation on this topic after we resolve it, as we're closing a significant risk. We'll also need to sync with the clients for consistent behavior (I know Python is ready to implement this), and sync with policy-controller to make sure it supports non-email based identities. |
My preference is to immediately stick a deprecation warning in, and leave it for a release or two first. But yeah, I'm on-board overall.
I don't feel super strongly about this, but I do think it'd be pretty useful for debugging (not just debugging Cosign, but debugging Sigstore integrations generally).
Good call. See also #1964
Works for me.
Agreed on single identity flag.
I think that's a good idea. As you point out, it's a moderately disruptive change so I'd like to get community buy-in before implementing it. Perhaps we should have a 1-pager on the proposed changes ready to go next week and share in Slack, then present it at the next community meeting (there is none next week). |
Sounds good, let's get the deprecation warning in after the community meeting.
I'm hesitant because we've seen testing features like the environment variables for providing roots of trust work their way into documentation. Maybe we start without one, and if we hear complaints from developers, we add one?
Sent you the 1-pager, feel free to update. Let's see how many folks are at this week's office hours, it might be enough to start getting some feedback, then we can present again the following week/post on Slack. |
SGTM; I'll take a look. I won't make office hours this coming week, but I should be available the week after for the community meeting. Appreciate you knocking out the 1-pager so quick! |
What about a command to inspect the bundle? Instead of verify, cosign inspect? I agree this is usage is dangerous and that we should remove it. It's also useful for debugging so I'd love to keep it in some form if we can make it clear that no verification is performed. |
That’d also give us the ability to define a machine readable format with information about the bundle and signature, would be very useful for policy engines to consume to make decisions. |
+1000 |
I think we should have both - A simple-to-use secure verification with |
|
Design doc: https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA# (sigstore-dev@ for access) Related issues I'm going to leave open that will be closed once this is completed: #1947, #1964 Related but will be tackled independent from this: #2210 |
ACKing so you can assign me the issue. |
Circling back: what's the status here? I see #2278 adds |
@woodruffw Your timing is impeccable. 😅 I'm cleaning up the tests and then the PR will be ready for review. |
Some open source projects only care that the artifact was signed and are not worried about who signed it, maybe add a --any-signature flag for those users that way it's just more explicit and clear about the ramifications? |
Can you give context? This is basically always the wrong thing to check, and my gut reaction is that we should be correcting that behavior rather than indulging it. If you truly don't care whether you're getting any security guarantees from a signature, something like a |
Strong +1 to what @znewman01 said -- absent a trusted identity, an arbitrary sigstore signature is equivalent to an integrity check against an untrusted hash. If this is something that
|
+1, not checking identity is equivalent to being handed a verification key alongside the signature without checking the verification key belongs to an entity you trust. I think it's fine for the API to be flexible, but I would prefer the CLI not be. Please let us know if there's a use-case we're missing. |
FWIW, the latest release of |
Verification of the identity of the signer is a critical part of Sigstore verification. Otherwise, you are only verifying that there is some signature that is valid, instead of checking that the signature was generated by someone you trust. For more information, sigstore/cosign#2056 contains some discussion around why we want to require these flags, and sigstore/cosign#1947 for why we require both of these flags. An open question for you is if this specified identity (which came from the certificate) will change between releases. If so, how would you like users to know which identity signed a release?
Inspired by sigstore/sigstore-python#155
cosign verify
(in keyless mode) without any--cert-email
provided will succeed when literally anybody has signed an image/blob. This is almost never the right behavior: [email protected] can sign any blob you can.Instead, we should require some verification policy:
--cert-email
(and--cert-oidc-provider
; see If--cert-email
is provided,--cert-oidc-provider
should be required (verification) #1947)--insecure
, which will do the current behavior today (possibly a hidden flag)(Keyfull mode is okay, because you're passing the key material or CA in explicitly)
The text was updated successfully, but these errors were encountered: