search

sigstore / sigstore-go

Go library for Sigstore signing and verification
Apache License 2.0
48 stars 26 forks source link

expand oci-image-verification example for private infra #321

Closed dmitris closed 2 weeks ago

dmitris commented 1 month ago

Summary

PR expands the oci-image-verification example with additional options for running it in a "private infrastructure" environment and to allow to extract non-Rekor-based timestamps from the OCI image being verified.

This is done in the mode of exploring the sigstore-go library and for now is a Draft - but I would appreciate any comments especially on whether the timestamp extraction is done correctly. When trying the oci-image-verification on an internally signed image (with TSA), I'm getting an error going back to ASN.1 parsing error (see my question on Slack):

$ oci-image-verification -onlineTlog=false -requireTlog=false -requireTimestamp=true -expectedIssuerRegex='.*' -trustedrootJSONpath=$HOME/dev/files/trustedroot.json -expectedSAN='spiffe://cd.internal.project/xyz/12345' -ociImage docker.acompany.com:4443/name/el8/abc:8.10
failed to verify timestamps: threshold not met for verified signed & log entry integrated timestamps: 0 < 1

as mentioned in the Slack message, the "underlying" error is (???)

ASN.1 parsing error  from [github.com/digitorus/timestamp.ParseResponse](http://github.com/digitorus/timestamp.ParseResponse) (called from [github.com/sigstore/timestamp-authority/pkg/verification.VerifyTimestampResponse](http://github.com/sigstore/timestamp-authority/pkg/verification.VerifyTimestampResponse)):
error parsing response into Timestamp: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} response @2

Release Note

NONE

Documentation

n/a

dmitris commented 1 month ago

was able to verify an OCI image using trustedroot.json, the command was similar to this one, therefore changing from Draft to "Ready to review":

$ oci-image-verification -ociImage docker.internal.com:4443/name/xyz:1.0 -onlineTlog=false -requireTlog=false -ignore-sct=true -requireTimestamp=true -expectedIssuerRegex='.*' -expectedSAN='spiffe://cd.cisystem.project/cd/build12345' -trustedrootJSONpath=trustedroot.json
Verification successful!
{
   "mediaType": "application/vnd.dev.sigstore.verificationresult+json;version=0.1",
   "signature": {
      "certificate": {
         "certificateIssuer": "CN=[common name]",
         "subjectAlternativeName": "spiffe://cd.cisystem.project/cd/build12345"
      }
   },
   "verifiedTimestamps": [
      {
         "type": "TimestampAuthority",
         "uri": "",
         "timestamp": "2024-10-10T01:28:22Z"
      }
   ],
   "verifiedIdentity": {
      "subjectAlternativeName": {
         "subjectAlternativeName": "spiffe://cd.cisystem.project/cd/build12345"
      },
      "issuer": {
         "issuer": "",
         "regexp": ".*"
      }
   }
}