Fulcio unable to verify/retrieve Google Certificate Authority url path

[acald-creator]

Description

First off, I want to say, I am a newcomer on Sigstore projects, but so far, I am loving the projects and I want to become involved in the process as well, so I'm making my way through each of the repositories and see what I can do. While I was doing that, I came across this tutorial so I can set it up myself within GCP and any other cloud platforms.

The one issue I came across is setting up Fulcio with Google Certificate Authority. Instead of installing SoftHSM on the server, I wanted to utilize Google Certificate Authority. Here are the steps I've done once I completed the tutorial.

I create the Certificate Authority and copied the path projects/<PROJECT_NAME>/locations/us-central1/caPools/<CA_POOL>/certificateAuthorities/20220602-xxx-xxx for later use.

/usr/local/bin/fulcio serve --config-path=/etc/fulcio-config/config.json --ca googleca --gcp_private_ca_parent=projects/<PROJECT_NAME>/locations/us-central1/caPools/<CA_POOL>/certificateAuthorities/20220602-xxx-xxx --ct-log-url http://sigstore-ctl:6105/sigstore --host=0.0.0.0 --port=5000 --log_type prod

In another terminal, I run cosign and this is the latest version of cosign.

COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.phxvlabs.dev/auth" --fulcio-url "https://fulcio.phxvlabs.dev" --rekor-url "https://rekor.phxvlabs.dev" ghcr.io/acald-creator/sigstore-thw:latest --verbose

Error message:

main.go:52: error during command execution: signing [ghcr.io/acald-creator/sigstore-thw:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":3, "message":"rpc error: code = InvalidArgument desc = Malformed collection name: 'caPools/certificateAuthorities/certificates'", "details":[]}

I found this configuration information from fulcio repository that fulcio may be looking for at this pattern --gcp_private_ca_parent=projects/project-rekor/locations/us-central1/certificateAuthorities/sigstore but it didn't work for me because I then get an error

{"severity":"error","ts":1654272470.232576,"caller":"api/error.go:40","message":"returning with error","requestID":"phwqjTu5","code":"InvalidArgument","clientMessage":"rpc error: code = InvalidArgument desc = The CreateCertificateRequest proto is invalid:\\n * parent: The parent field does not match the expected pattern."

Please note that I have tore down Fulcio server and rebuilt it a few times to see if the error came up, and so far it has. Any suggestions?

What it should be doing is verifying the Google Certificate Authority path that I provided.

Version

I installed cosign by following the instruction on cosign github repository. I also installed fulcio with the latest version as well from the github repository.

[haydentherapper]

Hey there, welcome!

The issue is that GCP CA Service issues certificates from the CA Pool resource, not the CA resource itself. To fix this, just drop the /certificateAuthorities/20220602-xxx-xxx suffix from the gcp_private_ca_parent flag, so gcp_private_ca_parent=projects/<PROJECT_NAME>/locations/us-central1/caPools/<CA_POOL>

The reference to gcp_private_ca_parent=projects/project-rekor/locations/us-central1/certificateAuthorities/sigstore is outdated, which documentation did you see that referenced so we can clean it up? That was from when we used the beta version of GCP CA Service.

If you're testing, it may also be easier to simply use ca=ephemeralca, which sets up an in-memory CA. You can also do docker-compose up to stand up the CA and its dependencies.

[acald-creator]

Hi thank you for the prompt response!

The reference document I found to use gcp_private_ca_parent=projects/project-rekor/locations/us-central1/certificateAuthorities/sigstore is at https://github.com/sigstore/fulcio/tree/main/config

Let me try the suggestion and see if that works for me. I figured it was a path that fulcio is looking for but I was scratching my head a bit. Reading go code is still new to me, so I was looking at the codebase regarding how fulcio is reading the certificate authority but I wasn't quite sure what is the correct path.

[acald-creator]

I was able to do it with the recommended change. The only thing I found was that Fulcio was asking for the ctfe public key file which was not stated in the tutorial https://github.com/lukehinds/sigstore-the-hard-way/blob/main/docs/07-certifcate-transparency.md which is how I got my first setup.

I found the recommended steps to create the public keys from https://blog.chainguard.dev/sigstore-the-local-way/.

So not sure if this was intended or perhaps a documentation or tutorial was slightly outdated.

[haydentherapper]

For local testing, Cosign also has a flag where it'll skip the check that the certificate was included in a CT log. The local way blog post sets up a local environment with all the requirements.

[haydentherapper]

Created a PR with some doc cleanup, marking as fixed!