Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: sign via ambient credentials #50

Closed
di opened this issue Apr 28, 2022 · 3 comments
Closed

Release: sign via ambient credentials #50

di opened this issue Apr 28, 2022 · 3 comments
Labels
component:signing Core signing functionality enhancement New feature or request

Comments

@di
Copy link
Member

di commented Apr 28, 2022

Description

Once this library supports ambient credential detection in #31, we should update our release workflow to sign via GitHub's ambient OIDC identity instead of explicitly requesting it.

Blocked on #31.
@di di added the enhancement New feature or request label Apr 28, 2022
@woodruffw
Copy link
Member

From conversation: we should do this ambient detection by default, but also allow users to explicitly disable it (e.g. with --no-ambient).

Here's one possible order of precedence (from highest to lowest):

  1. Explicit identity token via --identity-token=...
  2. Ambient credential from one of many sources (environment, REST endpoint, etc.)
  3. Interactive OAuth flow

@woodruffw woodruffw added the component:signing Core signing functionality label Apr 29, 2022
@di
Copy link
Member Author

di commented Apr 29, 2022

Let's not add any flags to disable ambient credential detection until we get some feedback on sigstore/cosign#1819.

@woodruffw woodruffw mentioned this issue May 2, 2022
Closed
@woodruffw
Copy link
Member

The groundwork here is all done, we just need to add more ambient detectors (which is tracked separately.)

javanlacerda pushed a commit to javanlacerda/sigstore-python that referenced this issue Feb 23, 2024
@tetsuo-cpp
test: Add more verification tests (sigstore#50)
4abaeb8 
* test: Add tests for signature validation failures

* test: Ignore types for `pytest`

* test: Remove redundant file removal

* test: Add test for invalid certificate chain

* Move `artifacts/` to `test/assets/`

* test: Remove unnecessary file swapping
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:signing Core signing functionality enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@di @woodruffw