Comments (5)
haydentherapper
commented on July 25, 2024
cc @trevrosen @feelepxyz @laurentsimon who might also be interested
from fulcio.
feelepxyz
commented on July 25, 2024
@marshall007 thanks for writing this up!
Fulcio OIDs are loosely based on the assumption that providers can reliably produce immutable references to "job"-level configuration
This was not my intention when writing the initial proposal on these extensions and we should look to clarify this in the docs! I agree that we should primarily reference the "pipeline"/workflow-level/ invocations and their source config.
I'm keen to see if we can make this work with the current extensions and/or new ones without changing existing extensions to reducing any breaking changes and churn.
Checking your list:
- Run Invocation URI (required): uniquely identifies pipeline/workflow execution (typically a human-readable summary page)
- β The current GitLab and GitHub implementations seem correct to me
- Run Config URI/Digest (required): actual workflow/pipeline configuration ref
- For GitHub we put this info in the
Build Config URI/Digest, so this is a ref to the workflow config. - For GitLab
Build Config URIis currently set to the job URI and Build Config Digest is unset. Could we change the Build Config URI be to something likehttps:/gitlab.com/user/project/.gitlab-ci.ymlor similar ref to the config? If a config is used from the source repo, could the Build Config Digest be set to the same as Source Repository Digest?
- For GitHub we put this info in the
- Run Trigger: workflow/pipeline trigger/dispatch event
- Not sure it's wort changing the name here from the existing
Build Triggerbut maybe the split between run/build is a bit confusing and could be clarified
- Not sure it's wort changing the name here from the existing
- Build Invocation URI: uniquely identifies job execution (typically a human-readable summary page)
- For GitLab I imagine this would point to something like: https://gitlab.com/wlynch/npm-provenance-example/-/jobs/4276586778?
- The GitHub equivalent is https://github.com/sigstore/sigstore-js/actions/runs/4992584824/jobs/8940485186 but we don't include this anywhere atm
- I'd argue we don't really need this if we have the "pipeline"/workflow level summary that links to the job. Could we put this in the SLSA predicate as metadata instead?
- Build Config URI/Digest: actual build/job configuration ref
- I'd argue we should not try and link to the job level config and keep them as is and point them to the pipeline/workflow config
- Build Signer URI/Digest
- This should point to the resource that I need to trust in order to trust the integrity of the provenance and or build
- In the default case, I think this should just be the same as Build Config URI/Digest but if the system provides a way to run a job in an isolated environment from the triggering pipeline/workflow it should point to that resource so I can write policies against it
- For GitHub actions this points to the reusable workflow ref if the provenance was signed inside it, if not, it points to the workflow level config
- I believe GCP has some similar capability and TektonCD also has some way of running things in isolated pipelines
from fulcio.
feelepxyz
commented on July 25, 2024
- For GitLab
Build Config URIis currently set to the job URI and Build Config Digest is unset.
Ahh I see this was changed here for GitLab: https://github.com/sigstore/fulcio/pull/1183/files
It sounds like Build Config URI will be updated to pipeline_ref and Build Config Digest to pipeline_sha which sounds in line with the above assumptions.
from fulcio.
feelepxyz
commented on July 25, 2024
@marshall007 if using a external pipeline config in gitlab, e.g. http://example.com/generate/ci/config.yml - is this not the config that also contains the instructions to mint OIDC tokens and actually run the provenance generation as part of a step? Wondering if it would make sense to also update Build Signer URI/Digest to pipeline_ref/pipeline_sha to make it clear what config you would need to vet in order to trust what happened during the build/provenance generation?
from fulcio.
marshall007
commented on July 25, 2024
@feelepxyz I agree with your suggestions on the claims we (GitLab) should use to populate the OIDs. I think I am primarily hung up on the naming of things. For example, as I understand it, Run Invocation, Build Trigger, and Build Config URI/Digest should all be defined in terms of the top-level execution. I think this would be more clearly stated if they all used the same terminology (like "Run").
I found the Build Signer vs Build Config terminology a bit confusing as well. The descriptions clarify, but we were tempted to populate Build Signer URI with a URI ref that did not point to build config instructions, and just uniquely identified the job instead.
If all top-level execution is referred to as Run *, I was suggesting that Build Signer * could just be called Build * (and just for consistency, support all the same OIDs as Run *).
I don't have super strong opinions here, this is just my anecdotal feedback. I always have to go back and cross-reference with the OID mapping table to remember what the intent is/was. I felt like more descriptive/consistent naming might help with that.
from fulcio.
Related Issues (20)
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
- TLS verification on OIDC Issuers HOT 2
- How can I get the CT log? HOT 3
- Add HellΕ Issuer HOT 2
- Update to go-jose v4
- Chainguard OIDC provider support HOT 8
- `/healthz` probe fails in Proxy-Enabled Environment
- Add option to enable TLS for communication with CTlog
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.