Closed mattmoor closed 2 months ago
whoops, amended with my test file
Attention: Patch coverage is 60.00000%
with 2 lines
in your changes missing coverage. Please review.
Project coverage is 49.58%. Comparing base (
cf238ac
) to head (587eb8e
). Report is 136 commits behind head on main.
Files | Patch % | Lines |
---|---|---|
pkg/identity/chainguard/principal.go | 60.00% | 1 Missing and 1 partial :warning: |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
I'll cut 1.5.1 with this fix. I'm going to need to revert a PR that when in recently first, as a cherry-picked release is a bit of a pain.
Summary
The cosign logic for interacting with Fulcio treats identity tokens as largely opaque, and most of the logic for how issuers and subjects and whatnot is handled happens server-side. However, for the "proof of possession"
cosign
has some logic (fromsigstore/sigstore
) that fumbles withemail
andsub
claims in ways that have (until now) been compatible with Fulcio principals.The Chainguard provider is the first provider that optionally includes an
email
claim, but we always want the subject we use to be our opaque identifier string (fromsub
). This creates a tear in the fulcio/cosign continuum, and so we must surface whatcosign
is signing asName()
even though that isn't necessarily what we embed in the certificate.The only correct way to implement
Name()
today is to match what this function does, and current implementations happen to align, but unfortunately because of how this abstraction is formulated it is challenging to actually change how we confirm the proof of possession to use this directly in place of the principal itself.Fixes: https://github.com/sigstore/cosign/issues/3777
Release Note
This corrects the Chainguard PoP verification flow for tokens that embed email claims (makes
Name()
consistent withcosign
).Documentation
N/A