feat: verify certs are recorded in CT

slsa-framework / slsa-verifier

Verify provenance from SLSA compliant builders

Apache License 2.0

223 stars 48 forks source link

feat: verify certs are recorded in CT #458

Open laurentsimon opened 1 year ago

laurentsimon commented 1 year ago

We should try to turn on this option if possible, stapling or anything the server supports.

asraa commented 1 year ago

We can do this. It requires regenerating some of the older testcases that didn't have SCT's added by default.

laurentsimon commented 1 year ago

I think we're talking about 2 different things and both have value :)

When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT
Verify the cert used by SIgstore (Rekor's cert used to sign the SET, leaf cert used to sign an attestation) have an CT entry

Correct?

asraa commented 1 year ago

Oops, we are, I read this too fast :)

When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT

So this is ensuring the cert connection to TUF verifies the SCT?

laurentsimon commented 1 year ago

Yes. I'm realizing this may not be strictly necessary for verification, since TUF does not need TLS. Maybe better suited for the generator during OIDC <-> cert with Fulcio; it would ensure someone else cannot get the OIDC token. (I have another tracking issue in the other repo)

laurentsimon commented 1 year ago

let's also add a comment in the code that CT is verified for leaf certs, as per https://github.com/sigstore/cosign/blob/5d2964c3d7cb33dada6e945aac2c80008780475d/pkg/cosign/verify.go#L237