Open laurentsimon opened 2 years ago
This issue is stale because it has been open for 60 days with no activity.
This issue has been marked stale because it has been open for 60 days with no activity.
I recently added the ossf scorecard to my project (https://github.com/dadrus/heimdall) and unfortunately was hit by the lack of keyless signing support, which obviously provides the required attestation. Without this support, the corresponding score can be considered a false negative without an option to fix it, which also means it is lower as it should be for my project.
Really appreciate if you address this FR.
See also the corresponding discussion in Slack: https://openssf.slack.com/archives/C0235AR8N2C/p1711287556171039?thread_ts=1711287556.171039&cid=C0235AR8N2C
We are currently looking to roll scorecard into ~13k projects, keyless signing is definitely desirable from our point-of-view as we're in the process on going "all-in" on sigstore and ephemeral keys
I think we have support at HEAD looking for .sigstore files, but we have not released yet. /cc @spencerschrock
@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.
@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.
The relevant PR would be #3772, but I don't think it would help in your case
@laurentsimon the repo in question uses this goreleaser config https://github.com/dadrus/heimdall/blob/f7d4aaab9ab34fa6c0babb9a31a733356ab0f8c2/.goreleaser.yaml#L50-L53 which you can see in the artifacts: https://github.com/dadrus/heimdall/releases
Actually, there is more. Since goreleaser cannot properly sign sbom and attach it to the container images, there are https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L428-L453 (for dev images) and https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L529-L562 (for the released images) in place. Both result in additional packages you can find in GH (heimdall-sbom and heimdall-signatures, with first being the signed SBOM and the second being the signature of the image, with both providing the same provenance as also available for regular binaries) and in DockerHub (with the same capabilities)
@spencerschrock: you're right, #3772 indeed won't help
One question: Is there some information expected beyond what is available with Sigstore provenance? Here what is available. If you e.g. download https://github.com/dadrus/heimdall/releases/download/v0.13.0-alpha/heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem and run cat heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem | base64 -d | openssl x509 -text -noout
, you can see
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:70:33:86:76:56:8c:d3:21:91:a4:e3:47:66:2c:2d:2a:3b:f2:17
Signature Algorithm: ecdsa-with-SHA384
Issuer: O = sigstore.dev, CN = sigstore-intermediate
Validity
Not Before: Jan 3 14:09:00 2024 GMT
Not After : Jan 3 14:19:00 2024 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:5f:01:ae:ec:95:a0:c8:cc:08:13:d9:0d:93:dc:
85:4f:89:a5:79:6d:ca:5f:9c:44:cf:f2:17:d2:d7:
fd:41:39:0d:a2:44:cd:5b:08:77:89:17:0d:bb:86:
83:8a:a7:de:36:ea:49:11:16:17:e1:b3:f1:4f:51:
f5:39:7b:59:c3
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Subject Key Identifier:
98:17:05:60:BB:1D:8B:15:D2:15:CC:52:BF:BA:FA:2E:DC:B8:20:1E
X509v3 Authority Key Identifier:
DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
X509v3 Subject Alternative Name: critical
URI:https://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
1.3.6.1.4.1.57264.1.1:
https://token.actions.githubusercontent.com
1.3.6.1.4.1.57264.1.2:
push
1.3.6.1.4.1.57264.1.3:
0a89ca3660000094366df83c68762140e579ec86
1.3.6.1.4.1.57264.1.4:
CI
1.3.6.1.4.1.57264.1.5:
dadrus/heimdall
1.3.6.1.4.1.57264.1.6:
refs/heads/main
1.3.6.1.4.1.57264.1.8:
.+https://token.actions.githubusercontent.com
1.3.6.1.4.1.57264.1.9:
.Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
1.3.6.1.4.1.57264.1.10:
.(0a89ca3660000094366df83c68762140e579ec86
1.3.6.1.4.1.57264.1.11:
github-hosted .
1.3.6.1.4.1.57264.1.12:
."https://github.com/dadrus/heimdall
1.3.6.1.4.1.57264.1.13:
.(0a89ca3660000094366df83c68762140e579ec86
1.3.6.1.4.1.57264.1.14:
..refs/heads/main
1.3.6.1.4.1.57264.1.15:
..480728437
1.3.6.1.4.1.57264.1.16:
..https://github.com/dadrus
1.3.6.1.4.1.57264.1.17:
..10072595
1.3.6.1.4.1.57264.1.18:
.Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
1.3.6.1.4.1.57264.1.19:
.(0a89ca3660000094366df83c68762140e579ec86
1.3.6.1.4.1.57264.1.20:
..push
1.3.6.1.4.1.57264.1.21:
.Ehttps://github.com/dadrus/heimdall/actions/runs/7398184009/attempts/1
1.3.6.1.4.1.57264.1.22:
..public
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
Timestamp : Jan 3 14:09:00.630 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:4A:D5:EC:4C:FE:50:E8:D6:6F:EF:31:E1:
3A:0B:BE:15:ED:32:C5:B1:66:2A:F5:B6:1F:80:AF:D2:
12:A4:80:88:02:21:00:B1:62:03:BF:DB:54:1A:5F:09:
57:92:63:58:94:63:8B:35:13:2E:7D:BD:12:4E:47:E0:
49:7A:A4:B7:A4:33:99
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:75:b6:fb:cb:a6:d1:fe:1d:08:40:e1:cd:62:f4:
93:f1:c9:9b:ec:49:37:e4:76:5f:65:ac:28:95:fe:a1:6a:7e:
4b:71:a0:26:d7:a8:7b:75:da:c4:15:e0:b5:94:77:85:02:30:
7a:2e:7e:9c:bc:9c:e7:42:0f:34:36:d0:ad:09:c5:1a:cb:57:
7e:50:71:29:cc:ea:cd:d1:02:96:89:31:d4:19:7d:7f:22:6f:
da:ca:a4:0b:78:06:0c:63:7b:c7:b5:82
The definitions of the OIDs can be found in https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
We should add support for keyless cosign signing in the Signed-Release check.
cc @asraa