search

sigstore / fulcio

Sigstore OIDC PKI
Apache License 2.0
646 stars 137 forks source link

Add Hellō Issuer #1683

Open dickhardt opened 3 months ago

dickhardt commented 3 months ago

Add https://issuer.hello.coop as an OIDC Identity Provider for sigstore

For details on Hellō see https://hello.coop/ & https://hello.dev/

haydentherapper commented 3 months ago

Thanks for reaching out. To start, can you take a look at https://github.com/sigstore/fulcio/blob/main/docs/new-idp-requirements.md? This outlines the requirements that we ask of IDPs integrating with the public instance. Do you meet these requirements?

To confirm, based on your documentation, it looks like issued identity tokens are for email addresses?

dickhardt commented 3 months ago

See PR https://github.com/sigstore/fulcio/pull/1684

Yes, Hellō meets those requirements.

Yes, ID Tokens are for an email address.

haydentherapper commented 1 month ago

@dickhardt, sorry for the delay in rollout, we were in the middle of a configuration update. We've rolled out support in staging - can you test? https://docs.sigstore.dev/system_config/public_deployment/#staging-instance has instructions on testing against staging with Cosign, though you can also just test by sending an identity token to Fulcio.

dickhardt commented 1 month ago

@haydentherapper

Tested -- works as expected.

Output from sign and verify below against staging using https://issuer.hello.coop issuer

% cosign sign --oidc-issuer "https://issuer.hello.coop" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" "ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"

Generating ephemeral keys...
Retrieving signed certificate...

    The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
    Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
    This may include the email address associated with the account with which you authenticate your contractual Agreement.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
Your browser will now be opened to:
https://wallet.hello.coop/authorize?access_type=online&client_id=sigstore&code_challenge=TZp-Pkvt7zGPP5gPzuYnF5HBs0KNKeOmw685t_qjXGg&code_challenge_method=S256&nonce=2kRFILmCQ1H4Cv9vWINycb87nyu&redirect_uri=http%3A%2F%2Flocalhost%3A55174%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2kRFINNPlrdKqE4V4YH7DaHY6zp
Successfully verified SCT...
tlog entry created with index: 31389007
Pushing signature to: ttl.sh/c020b59f
√ ~ % cosign verify --rekor-url "https://rekor.sigstage.dev" "ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7" --certificate-identity=dick.hardt@hello.coop --certificate-oidc-issuer=https://issuer.hello.coop

Verification for ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"ttl.sh/c020b59f"},"image":{"docker-manifest-digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://issuer.hello.coop","Bundle":{"SignedEntryTimestamp":"MEUCIB3+1Z874yN7N3keKEZUDpuR+awyYoJDuYqVWdfseV94AiEAjjFrG985lNzBiw7LY/0/CWZOQBx8EX1cCk2ZaFxw+UM=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzNjc3MzMzOGRhYjdjNjlmYjdlMzVjM2IxNGQ2NWM3MzE4MTBjMjUxYjdhODI4NTUwN2U4ZGNjMzI4ZTQ2NTg0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FTUNJRWQrVG04UmJsQlVpZWRJNnRuTXNMN2VkbkpDU2tHS1l1K212UExOZFB1VUFoOURPY1ZNZ0FuQ21HU2dlaFpobXlTaktGVldSU1NmR1ppL3BYM2doNjVVIiwicHVibGljS2V5Ijp7ImNvbnRlbnQiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VONVZFTkRRV3NyWjBGM1NVSkJaMGxWUTNaaGEwWlBiR2xuWlhaTFdtZExWemd2TTBkTGNWRTNNbVJSZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmQwOUVRVFZOYWtWNFRYcFJNVmRvWTA1TmFsRjNUMFJCTlUxcVJYbE5lbEV4VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVTViRWt4VDB0TlMwMXNZelJIZEVWSUwxa3hjVFZQV1hka1IybHRlRzByYjFacFltb0tWMFEyUkRFMGFVSnRhR05JWmxCek1YSnVaVTFaZUU4NVUwNVJXVTkxU0VSVVZXdEJVbTVGU25CbGNUVkZibkZUVFdGUFEwRlhOSGRuWjBaeFRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVk5PU3RYQ2xsNmEyRlFkR1ZVWlRKVldXWm5lVmxqTDNCb1JHWlJkMGgzV1VSV1VqQnFRa0puZDBadlFWVmpXVmwzY0doU09GbHRMelU1T1dJd1FsSndMMWd2TDNJS1lqWjNkMGwzV1VSV1VqQlNRVkZJTDBKQ2EzZEdORVZXV2tkc2FtRjVOVzlaV0VwclpFVkNiMXBYZUhOaWVUVnFZakk1ZDAxRFkwZERhWE5IUVZGUlFncG5OemgzUVZGRlJVZFhhREJrU0VKNlQyazRkbUZZVG5wa1YxWjVURzFvYkdKSGVIWk1iVTUyWWpOQmQwdFJXVXRMZDFsQ1FrRkhSSFo2UVVKRFFWRmlDa1JDYkc5a1NGSjNZM3B2ZGt3eWJIcGpNMVpzWTJrMWIxcFhlSE5pZVRWcVlqSTVkMDFKUjBwQ1oyOXlRbWRGUlVGa1dqVkJaMUZEUWtoelJXVlJRak1LUVVoVlFVdDZRemd6UjJsSmVXVk1hREpEV1hCWWJsRm1VMFJyZUd4blRIbHVSRkJNV0d0T1FTOXlTM05vYm05QlFVRkhVazlRTWtwT2QwRkJRa0ZOUVFwU2FrSkZRV2xDZVVKMldUVlJaMWRFU0UxVU16QnBOWFJNZW1oVU5FczBjRkJ5U0RWcmMyRnNiMEZ0TUdvdlVWbHpkMGxuWVVod2J6TlhkamR1VkdOc0NqVkJOVVpKVFd0VmVUTkRPVko0SzJaUUt6VXdSME5ST0VrelRUSXJkVmwzUTJkWlNVdHZXa2w2YWpCRlFYZE5SR0ZCUVhkYVVVbDRRVXBaVFVncldrZ0tXR3h0YkVaeWVFTlZiRFpPYzJFd1JHVmhRbEZpYlRocFNXcFNhWEpNY1ZkRVRIUlFjR1E0TUhsTVRscHdTRTh4Wm5vMlZURkxNM0Z1ZDBsM1pHWlBjQXBYWjA4NWFqQmphR0pPWms0d1psbDNka2hQY2tKaldHTnhVR0ZGZDFaUVMxbDRlRXBaY0dGSlZEVjJjemx5T1hCWFVrcE1aRmxLYWxFM1RFb0tMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifX19fQ==","integratedTime":1723238027,"logIndex":31388804,"logID":"d32f30a3c32d639c2b762205a21c7bb07788e68283a4ae6f42118723a1bea496"}},"Issuer":"https://issuer.hello.coop","Subject":"dick.hardt@hello.coop"}},{"critical":{"identity":{"docker-reference":"ttl.sh/c020b59f"},"image":{"docker-manifest-digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://issuer.hello.coop","Bundle":{"SignedEntryTimestamp":"MEQCIBEpQm4JHnjtDESo8q+DMFeeiX2j6OWw/i7W0ar2jUfNAiBg0e6F0/vA4M0WSmKX5tUNpRrWAu9VtxLo21U3o+Uxvg==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzNjc3MzMzOGRhYjdjNjlmYjdlMzVjM2IxNGQ2NWM3MzE4MTBjMjUxYjdhODI4NTUwN2U4ZGNjMzI4ZTQ2NTg0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ1BKUWNqQ1YyRWk2K3BNNXMxdTJKZUdWejE0T0lkQkFjdkVqNjkvbVI1ekFpQVVZOXBqTCtMNmpHYWRxaUlkaWdsY2pBbzRvMVozT21BWUx2THZFSkdBNWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVWRU5EUVd4RFowRjNTVUpCWjBsVlJEQlVjM0pTTTFrMVptRTRUMHBIWlRKc1ZHMHhjR1Z3UkdVNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFUVRWTmFrVjVUVVJCZWxkb1kwNU5hbEYzVDBSQk5VMXFSWHBOUkVGNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVVyWlVaUGIzVkxabTlNYlRkblUwUXlWRVJvU0RBcmNYRTJSbTFDZEVkM2JUVnBia2NLYlRaeFQwZG1jbFV3ZEhGaGNITlpNVnB3YlM5RU9VODJaRGxyYkVwWGQyNWlWa0Z5Y0d4TlVWSnFXalZDZURJd1RVdFBRMEZYT0hkblowWnlUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZVZVhoeUNpOU1LMHMxTldacmEyYzNiMEowWkRSTlIxQmxZbEZWZDBoM1dVUldVakJxUWtKbmQwWnZRVlZqV1ZsM2NHaFNPRmx0THpVNU9XSXdRbEp3TDFndkwzSUtZalozZDBsM1dVUldVakJTUVZGSUwwSkNhM2RHTkVWV1drZHNhbUY1Tlc5WldFcHJaRVZDYjFwWGVITmllVFZxWWpJNWQwMURZMGREYVhOSFFWRlJRZ3BuTnpoM1FWRkZSVWRYYURCa1NFSjZUMms0ZG1GWVRucGtWMVo1VEcxb2JHSkhlSFpNYlU1MllqTkJkMHRSV1V0TGQxbENRa0ZIUkhaNlFVSkRRVkZpQ2tSQ2JHOWtTRkozWTNwdmRrd3liSHBqTTFac1kyazFiMXBYZUhOaWVUVnFZakk1ZDAxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpRS1FVaFpRVXQ2UXpnelIybEplV1ZNYURKRFdYQllibEZtVTBScmVHeG5USGx1UkZCTVdHdE9RUzl5UzNOb2JtOUJRVUZIVWs5UlRrMHlVVUZCUWtGTlFRcFNla0pHUVdsRlFXMTNTVm95VnpGcmRsQXdWQzgySzFGQk1FMVFURmxUVEVobVF6VndUSGRzYm5kMWNrcG1iVGhRTTNORFNVaFJiRFkyYTFaQldrUlRDbGhxZVc1MWIzSXdjVFl2VmsxRlJqUXhjVmxaY21vM1ZUaHJZWFI0YTNGRVRVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeVkwRk5SMUZEVFVKV1FWQkNNbkVLU1dRMGJISkxTVUZHWm01aFoxRkNhVzluTXl0NWVUa3paalZDTldSWFNFSnlPVGxKTUV0bllWcHlhekJEYjJZd2NqRkpZVFExWkRsUFowbDNTbTVuVmdvclEzRm1WVTVIWm05QlFqTTBWbWRWYjNaaGNsWXJXVnBLUjIxQ1UwZDNOMWxhTXpjNWIybE1hVVpaYWpKTGRFcEdjRzA0VmxkTGFEZ3haVUVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0=","integratedTime":1723238404,"logIndex":31389007,"logID":"d32f30a3c32d639c2b762205a21c7bb07788e68283a4ae6f42118723a1bea496"}},"Issuer":"https://issuer.hello.coop","Subject":"dick.hardt@hello.coop"}}]
dickhardt commented 1 month ago

@haydentherapper -- are there any issues with staging? when do you expect this to be deployed to production?

haydentherapper commented 1 month ago

Timely ping, we just deployed to prod an hour ago! Can you test against prod?