Closed woodruffw closed 6 months ago
Oh yeah huh. I'm not sure we use the new extensions either
Cosign only uses the old extensions too, though we should move over to the new ones to support CI identity verification for more than just GHA.
Fulcio wont remove the extensions until a V2 API, so for now, generating a certificate where the deprecated extensions are present would be reflective of what we are doing in prod.
Fulcio wont remove the extensions until a V2 API, so for now, generating a certificate where the deprecated extensions are present would be reflective of what we are doing in prod.
Makes sense to me. Yeah, in that case I think this case needs to be re-generated even if clients move towards the new extensions :slightly_smiling_face:
Lemme work on regenerating this case with the legacy extensions in place.
It looks like
d.txt.good.sigstore
's leaf certificate has an extension for1.3.6.1.4.1.57264.1.8
(i.e. OIDC Issuer V2) but not1.3.6.1.4.1.57264.1.1
(i.e. the original OIDC Issuer extension).This puts it out of sync with the current PGI instance, which still produces certificates with both extensions for compatibility reasons. The legacy extension is deprecated, but some clients (like
sigstore-python
, unfortunately) haven't been able to move off of it because the new ones use a wrapper DER encoding that doesn't have straightforward API support yet :slightly_frowning_face:Full dump:
CC @bdehamer @steiza: do you think we could re-generate these testcases, but with the legacy extension enabled as well? Or do you think that would be too painful? If the latter, this may be a sufficient kick in the ass for
sigstore-python
to finally get with the program and move over to the new extensions :slightly_smiling_face:h/t @segiddins for noticing this :slightly_smiling_face: