ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.54k stars 497 forks source link

Feature: add support for keyless signed release #1417

Open laurentsimon opened 2 years ago

laurentsimon commented 2 years ago

We should add support for keyless cosign signing in the Signed-Release check.

cc @asraa

github-actions[bot] commented 12 months ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 7 months ago

This issue has been marked stale because it has been open for 60 days with no activity.

dadrus commented 7 months ago

I recently added the ossf scorecard to my project (https://github.com/dadrus/heimdall) and unfortunately was hit by the lack of keyless signing support, which obviously provides the required attestation. Without this support, the corresponding score can be considered a false negative without an option to fix it, which also means it is lower as it should be for my project.

Really appreciate if you address this FR.

See also the corresponding discussion in Slack: https://openssf.slack.com/archives/C0235AR8N2C/p1711287556171039?thread_ts=1711287556.171039&cid=C0235AR8N2C

adam-moss commented 7 months ago

We are currently looking to roll scorecard into ~13k projects, keyless signing is definitely desirable from our point-of-view as we're in the process on going "all-in" on sigstore and ephemeral keys

laurentsimon commented 7 months ago

I think we have support at HEAD looking for .sigstore files, but we have not released yet. /cc @spencerschrock

dadrus commented 7 months ago

@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.

spencerschrock commented 7 months ago

@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.

The relevant PR would be #3772, but I don't think it would help in your case

@laurentsimon the repo in question uses this goreleaser config https://github.com/dadrus/heimdall/blob/f7d4aaab9ab34fa6c0babb9a31a733356ab0f8c2/.goreleaser.yaml#L50-L53 which you can see in the artifacts: https://github.com/dadrus/heimdall/releases

dadrus commented 7 months ago

Actually, there is more. Since goreleaser cannot properly sign sbom and attach it to the container images, there are https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L428-L453 (for dev images) and https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L529-L562 (for the released images) in place. Both result in additional packages you can find in GH (heimdall-sbom and heimdall-signatures, with first being the signed SBOM and the second being the signature of the image, with both providing the same provenance as also available for regular binaries) and in DockerHub (with the same capabilities)

dadrus commented 7 months ago

@spencerschrock: you're right, #3772 indeed won't help

One question: Is there some information expected beyond what is available with Sigstore provenance? Here what is available. If you e.g. download https://github.com/dadrus/heimdall/releases/download/v0.13.0-alpha/heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem and run cat heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem | base64 -d | openssl x509 -text -noout, you can see

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:70:33:86:76:56:8c:d3:21:91:a4:e3:47:66:2c:2d:2a:3b:f2:17
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O = sigstore.dev, CN = sigstore-intermediate
        Validity
            Not Before: Jan  3 14:09:00 2024 GMT
            Not After : Jan  3 14:19:00 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5f:01:ae:ec:95:a0:c8:cc:08:13:d9:0d:93:dc:
                    85:4f:89:a5:79:6d:ca:5f:9c:44:cf:f2:17:d2:d7:
                    fd:41:39:0d:a2:44:cd:5b:08:77:89:17:0d:bb:86:
                    83:8a:a7:de:36:ea:49:11:16:17:e1:b3:f1:4f:51:
                    f5:39:7b:59:c3
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                98:17:05:60:BB:1D:8B:15:D2:15:CC:52:BF:BA:FA:2E:DC:B8:20:1E
            X509v3 Authority Key Identifier: 
                DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.1: 
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2: 
                push
            1.3.6.1.4.1.57264.1.3: 
                0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.4: 
                CI
            1.3.6.1.4.1.57264.1.5: 
                dadrus/heimdall
            1.3.6.1.4.1.57264.1.6: 
                refs/heads/main
            1.3.6.1.4.1.57264.1.8: 
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9: 
                .Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.10: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.11: 
github-hosted   .
            1.3.6.1.4.1.57264.1.12: 
                ."https://github.com/dadrus/heimdall
            1.3.6.1.4.1.57264.1.13: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.14: 
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15: 
                ..480728437
            1.3.6.1.4.1.57264.1.16: 
                ..https://github.com/dadrus
            1.3.6.1.4.1.57264.1.17: 
                ..10072595
            1.3.6.1.4.1.57264.1.18: 
                .Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.19: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.20: 
                ..push
            1.3.6.1.4.1.57264.1.21: 
                .Ehttps://github.com/dadrus/heimdall/actions/runs/7398184009/attempts/1
            1.3.6.1.4.1.57264.1.22: 
                ..public
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
                                A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
                    Timestamp : Jan  3 14:09:00.630 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:4A:D5:EC:4C:FE:50:E8:D6:6F:EF:31:E1:
                                3A:0B:BE:15:ED:32:C5:B1:66:2A:F5:B6:1F:80:AF:D2:
                                12:A4:80:88:02:21:00:B1:62:03:BF:DB:54:1A:5F:09:
                                57:92:63:58:94:63:8B:35:13:2E:7D:BD:12:4E:47:E0:
                                49:7A:A4:B7:A4:33:99
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:64:02:30:75:b6:fb:cb:a6:d1:fe:1d:08:40:e1:cd:62:f4:
        93:f1:c9:9b:ec:49:37:e4:76:5f:65:ac:28:95:fe:a1:6a:7e:
        4b:71:a0:26:d7:a8:7b:75:da:c4:15:e0:b5:94:77:85:02:30:
        7a:2e:7e:9c:bc:9c:e7:42:0f:34:36:d0:ad:09:c5:1a:cb:57:
        7e:50:71:29:cc:ea:cd:d1:02:96:89:31:d4:19:7d:7f:22:6f:
        da:ca:a4:0b:78:06:0c:63:7b:c7:b5:82

The definitions of the OIDs can be found in https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md