Comments (9)
@laurentsimon FYI
from fulcio.
Would it be useful to have a provider-agnostic extension?
Say we have Google and GitHub providers. Depending on context, we may want to add additional information (in the case of this issue, a commit hash): will the OID have a {provider type, datablob} structure?
I don't think we want to create a new extension every time a provider needs to add additional context to the cert.
wdut?
from fulcio.
Would it be useful to have a provider-agnostic extension?
Yeah that's doable -- we just have a prefix reserved (1.3.6.1.4.1.57264), and we can start using them as we please!
Right now Bob's planning on using 1.1 for issuer context, provide-agnositc. I'm not sure how conventions work here. should 1.2 be commit sha and 1.3 be trigger? or should they be bundled in some way?
from fulcio.
cc @bobcallaway
from fulcio.
Or barring privacy concerns around logging the full github token in rekor (are there any? maybe private workflows?) maybe we can serialize the whole token and stick it in a single extension?
from fulcio.
yeah that's what I was thinking too: version || len_provider_name || provider_name || provider_version || len_serialize_data || serialized_data
. provider_version
probably not necessary.
from fulcio.
Side note: @dlorenc got the same effect as this by signing with annotations on the sha/commit.
I think it's still useful to have this information in the cert in case it's not a cosign container sig being created (just a signature on an artifact, and this info can come from the cert)
from fulcio.
@asraa Good to close this issue as fixed?
from fulcio.
Yes! Fixed
from fulcio.
Related Issues (20)
- There is a typo
- Proposal: Integrate with attestation for hardware-backed keys HOT 7
- Allow for a configurable Gitlab url HOT 2
- ACME protocol for certificate issuance
- Add Shutdown behavior
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
- TLS verification on OIDC Issuers HOT 2
- How can I get the CT log? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.