-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support keyless Signature verification using only Root certificate #710
Comments
I have tested the scenario on a cluster now sharing the working and not working logs |
@Mukuls77 I am afraid this behaviour is intentional to ask for any intermediate and the root certificate. |
Hi Hector the cosign base code support the flow in which we set the SIGSTORE_ROOT_FILE env variable to rootCert and than in verify command we dont pass any Intermediate cert so than cosign picks the cert chain and cert from the Registry and validate those using the Root cert provided in SIGSTORE_ROOT_FILE. so a similar behaviour should be supported when we are using policy controller |
@Mukuls77 Alright! I'll have a look at the logs. |
@Mukuls77 I've tried using the Please, make sure you're using the root certificate only. |
Hi Hector thanks for the update. actually i used a new set of certs for generating these logs, and i validated that i am using correct root cert in my test. I am sharing the cert used for this test for your view. /home/mukul/tarballTest>openssl x509 -text -in rootCA.crt /home/mukul/tarballTest>openssl x509 -text -in intermediateCA.crt /home/mukul/tarballTest>openssl x509 -text -in leafCA.crt also when i use Intemediate cert + root cert in the cert chain than the policy controller works fine. it only fails when i am using only root cert. logs attached for working case |
Hi Hector i tried the policy validation again with a different set of leaf, intermediate and root cert but the result is the same if it only use root cert in the Trustroot than validation fails but it works if i use Intermediate cert + root cert in the trust root. as you mentioned it worked for you can you pls share the certs you used for your case (leaf, intermediate, root) so that i can check what is the difference in my case. |
@hectorj2f can you pls provide the certs (leaf , intermediate, root) and the leaf key so that i can check this case, as i tried it myself using my certs and cert chain but it is not working till i provide complete cert chain (intermediate + root) in the trust root. It only work for me when i have only leaf and root cert as the complete chain i.e. no intermediate cert is present, as i use an intermediate cert than just setting root cert in trust root does not work. |
Support keyless Signature verification using only Root certificate
Use case Description:
Issue Description
currently cosign support verification of the signature using just root certificate using following mechanism.
We have an artifact which has associated signature, cert and cert chain in the registry.
showing the manifest of the signature for refrence.
Artifact : ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9
Fetching signature:
./cosign-linux-amd64 triangulate ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9
ttl.sh/cosign-ci/68ab7a70:sha256-ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9.sig
Signature manifest
crane manifest ttl.sh/cosign-ci/68ab7a70:sqa256-ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9.sig |j
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 357,
"digest": "sha256:da8a1a9eb14cf44984c1daba0400ae5047ed3cae705266594597116d8738fc91"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 241,
"digest": "sha256:3c2165afcc2d11083dcc469440ca74b8bffa0fdd6c8818ed06933f3c839533c1",
"annotations": {
"dev.cosignproject.cosign/signature": "MEYCIQDiD1Ba6QvsNu6R1uMi3f/Kw7UqcIWejVyJxFv1mTDFeQIhAIzeMcZYPFd9J5cuEdiGqfGb0CY6mH0IBRyKvBpwKBuQ"
}
},
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 242,
"digest": "sha256:61b4e7ee03e7df79b6c8182e8440b4b794300aabb9f25b29d818e9aa595fa2ff",
"annotations": {
"dev.cosignproject.cosign/signature": "DLDjxmPo5pJOaoX3+EPzMBGMQ85iaKadAdCIPVh80fidXy8cf194JT0/J3dbS1isxmFEPNolpdsU\nZtJ1Nsq1zM5biyM6iwyEZre07nAkvxrhrr+33BGI4p8Iq8snfyF/Dn9kkntxpAgXfQbtg2M0GMcv\n8hO7Vq7rlX2ZJTqfPgyfxIoobIml1wfA5MksiYbzxryCKG/p1Da9rytJPA36QbLsZEK/pjVH993m\ny3pylEDqkqi2kbNQFMZr9Pc3Blx1UiRP+8qDlmI+D1g+Qf0xo8VUTGgcsWZQBuIBXa35RakbA5Ib\nXurzHWU0nnk0IFdicUlaORIrKr/7SeIjC6mcew==\n",
"dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ\nKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw\nM1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w\nDAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG\nA1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W\nBLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06\ne/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib\n63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs\ni/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW\nj9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL\nVQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw\nCQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD\nVQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh\ncm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud\nDwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui\nwuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k\nZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+\nVwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ\ntTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz\nQetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu\nB3ZlZ7xhkqYB2vHjk2c=\n-----END CERTIFICATE-----\n",
"dev.sigstore.cosign/chain": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN\nMjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z\nEfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom\nLCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C\nUmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp\ndwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3\nbRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB\nAAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF\nMAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD\nggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt\ne1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m\nff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e\nn8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr\nQTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz\n2itq2p3qLmcxj+YguGUCLLL0K1c=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN\nMjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa\nMEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf\nof+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5\nwPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf\nyFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn\ndc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT\nMFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB\nxLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL\nBQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I\nYyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95\n+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE\nuZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc\nX7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A\nFuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=\n-----END CERTIFICATE-----\n"
}
}
]
}
Verify using cosign verify command
export SIGSTORE_ROOT_FILE=
echo $SIGSTORE_ROOT_FILE
/home/mukul/policy-controller/mypolicy/rootCA.crt
/home/mukul/policy-controller/mypolicy>./cosign-linux-amd64 verify ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9 --insecure-ignore-sct --insecure-ignore-tlog --certificate-identity-regexp '.' --certificate-oidc-issuer-regexp '.'
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9 --
The following checks were performed on each of these signatures:
[{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/68ab7a70"},"image":{"docker-manifest-digest":"sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9"},"type":"cosign container image signature"},"optional":{"Subject":""}}]
Verification using policy tester
To verify the policy for this scenario i used the policy Tester.
Created following policies
Policy File: cip-my-keyless.yaml
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: demo
spec:
images:
- glob: ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9
authorities:
trustRootRef: my-sigstore-keys
url: https://fulcio.mysigstore.dev
insecureIgnoreSCT: true
identities:
subjectRegExp: '.'
Trust Root: file my-sigstore-keys.yaml
apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
name: my-sigstore-keys
spec:
sigstoreKeys:
certificateAuthorities:
- subject:
organization:
commonName:
uri: https://sigstore-hostname
certChain: |-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwekNDQXJ1Z0F3SUJBZ0lVUnJVZEhaSk16
eWtSVU05aERlTHJMdHlWeFU4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2VURUxNQWtHQTFVRUJoTUNT
VTR4Q3pBSkJnTlZCQWdNQWxWUU1RNHdEQVlEVlFRSERBVnViMmxrWVRFTwpNQXdHQTFVRUNnd0Zi
bTlyYVdFeEREQUtCZ05WQkFzTUEwTk9VekVNTUFvR0ExVUVBd3dEVGtORU1TRXdId1lKCktvWklo
dmNOQVFrQkZoSnRkV3QxYkM1emFHRnliV0ZBYm05cmFXRXdIaGNOTWpJeE1URTNNRFUxTkRBNFdo
Y04KTWpjeE1URTJNRFUxTkRBNFdqQjVNUXN3Q1FZRFZRUUdFd0pKVGpFTE1Ba0dBMVVFQ0F3Q1ZW
QXhEakFNQmdOVgpCQWNNQlc1dmFXUmhNUTR3REFZRFZRUUtEQVZ1YjJ0cFlURU1NQW9HQTFVRUN3
d0RRMDVUTVF3d0NnWURWUVFECkRBTk9RMFF4SVRBZkJna3Foa2lHOXcwQkNRRVdFbTExYTNWc0xu
Tm9ZWEp0WVVCdWIydHBZVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dn
RUJBTXdEdFErQ3hwWm1GNHJ1V1dGTURIeEpINTY0WlJZYQpNRXRKT2FoSlowbEZUZk5FcXV0UkEw
K05MWlBQb2MzakVYM2Iyazg5VmxEUmlyN284NTNOSExtL0F0RHN2ZWtmCm9mK3FodzRCdHJNc3RN
UW9vbTI0ZkxsZDJYYmNnQW84RHdBWU5RTVVGS2ZOalp2Sk9ORVFncmNhc0V1ZUxKbjUKd1BEZ0xX
cjRzZ3g1Z25zRU9OTUU2eXVtemdBUHZmZjBsZko4L0E1azhWbVRtSno4dUx1S054WVJIYjNvNWNL
Zgp5RlZhR0FmN3dDeEVuOEpnNVNSVGh5ZUcydWswSUZzWDVMOUJoSmdmcWV2ZU5RaDNXaXluSFlM
cVpKM0ZBQ1JuCmRjM2dVaW85NEVjMVVqWkExQktzek54ODl6VUFmNkt6ckxrdng5NUl2VWF1cTNo
YWJHS0V6M2NDQXdFQUFhTlQKTUZFd0hRWURWUjBPQkJZRUZMbUJ4THJ2d2JiQWlMSHhFYU5haTNz
UzdkMTVNQjhHQTFVZEl3UVlNQmFBRkxtQgp4THJ2d2JiQWlMSHhFYU5haTNzUzdkMTVNQThHQTFV
ZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQU1Bb09MNTkrMXgzR3BV
OFB5SWdqWTNpeXZpYUxPdGRsQTh3YkNUMjFuUDBmakdTMlJOaHNxNUkKWXlQUmY2dzNXTFRtZ2tY
STdQM0xwTTlmWWFuQnpTRnJQTkI2eDBwTm1hb2tnQUVLeHFLcXFmVWZnU1lUdGc5NQorNWJkZDkv
WlF3MjEwS0dpRDZBWmY4N1hwNngzVTluK3V2U2xnNUNhSVUyTzJpT3lwajdhejVFQlNWeW9CdklF
Testing using policy tester
When i test this policy and trust root it fails
/home/mukul/policy-controller/mypolicy>./policy-tester -image ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9 -policy cip-my-keyless.yaml -trustroot my-sigstore-keys.yaml
2023-04-07T12:01:05.933+0530 DEBUG webhook/validator.go:497 Checking Authority: authority-0
2023-04-07T12:01:10.896+0530 ERROR webhook/validator.go:763 failed validSignatures for authority authority-0 with fulcio for ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9: no matching signatures:
no certificate found on signature
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
github.com/sigstore/policy-controller/pkg/webhook.ValidatePolicySignaturesForAuthority
github.com/sigstore/policy-controller/pkg/webhook/validator.go:763
github.com/sigstore/policy-controller/pkg/webhook.ValidatePolicy.func1
github.com/sigstore/policy-controller/pkg/webhook/validator.go:529
{"errors":["signature keyless validation failed for authority authority-0 for ttl.sh/cosign-ci/68ab7a70@sha256:ffb13da98453e0f04d33a6eee5bb8e46ee50d08ebe17735fc0779d0349e889e9: no matching signatures:\nno certificate found on signature\n cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE: "]}
It works only when i use the complete cert chain i.e. (Intermediate cert + Root Cert) in the argument
Impact and benefit of this issue
currently as i notice policy controller only support passing complete cert chain in the argument to validate the signature.
This will have impact on usability in the case where an organization generates separate Intermediate Certs for its departments, so in such case the policy logic will become complex
This can be made simple if we allow only Root cert to be used for verification as is allowed in cosign tool. In that case we will just need a single Trust Root and can use that trust root in all the policies.
The text was updated successfully, but these errors were encountered: