feat: keyless #1659
feat: keyless #1659
Conversation
Adds support for keyless cosign verification. This feature allows users to verify images signed with cosign without the need for a public key. fixes #1493
|
Integration tests and documentation are still missing and |
| @@ -125,6 +125,13 @@ application: | |||
| MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsx28WV7BsQfnHF1kZmpdCTTLJaWe | |||
| d0CA+JOi8H4REuBaWSZ5zPDe468WuOJ6f71E7WFg3CVEVYHuoZt2UYbN/Q== | |||
| -----END PUBLIC KEY----- | |||
| - name: keyless | |||
There was a problem hiding this comment.
Commented out, I can see this as an example, but it shouldn't be part of the default config
|
|
||
| func ValidateCertificate(cert string) error { | ||
| certPool := x509.NewCertPool() | ||
| if !certPool.AppendCertsFromPEM([]byte(cert)) { |
There was a problem hiding this comment.
That's not really what this function is supposed to check.
// AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
// It appends any certificates found to s and reports whether any certificates
// were successfully parsed.
If there is a single valid certificate inside the bytestring and then a bunch of garbage, this succeeds
Also a nit: the return value is never used in its form and could be a bool with as IsValidCert or similar
| if !certPool.AppendCertsFromPEM([]byte(cert)) { | |
| return certPool.AppendCertsFromPEM([]byte(cert)) |
| @@ -478,7 +478,7 @@ func TestValidateErrors(t *testing.T) { | |||
| }, | |||
| }, | |||
| }, | |||
| "Key must be set if Cert isn't", | |||
| "Key is a required field", | |||
| cv.RekorPubkey = valData.Host.RekorPubkey | ||
| cv.FulcioCert = valData.Host.FulcioCert | ||
| cv.CTLogPubkey = valData.Host.CTLogPubkey |
There was a problem hiding this comment.
Is there no way to validate the pub keys?
| func (cv *CosignValidator) getFulcioCerts() (*x509.CertPool, *x509.CertPool, error) { | ||
| if cv.FulcioCert != "" { | ||
| root := x509.NewCertPool() | ||
| // certificate was already validated during unmarshalling |
There was a problem hiding this comment.
Thinking about it, why do we even put the bytestring into the CosignValidator in the first place? It is unserialized into a CosignValidatorYaml, so we could make the cv.Cert and cv.FulcioCert field the cert pool with the added certificate during validation already, or am I missing something?
Adds support for keyless cosign verification. This feature allows users to verify images signed with cosign without the need for a public key.
fixes #1493
Checklist
developChart.yaml(if necessary)