Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--cert-identity should be optional on sigstore verify github #780

Closed
woodruffw opened this issue Sep 28, 2023 · 3 comments · Fixed by #1015
Closed

--cert-identity should be optional on sigstore verify github #780

woodruffw opened this issue Sep 28, 2023 · 3 comments · Fixed by #1015
Labels
component:cli CLI components enhancement New feature or request
Milestone
3.0

Comments

@woodruffw
Copy link
Member

woodruffw commented Sep 28, 2023
edited

Noticed while dogfooding with @ret2libc: sigstore verify github currently requires --cert-identity, even when the set of flags passed by the user might be sufficient for verification purposes.

This makes sigstore verify github invocations unnecessarily wordy, e.g.:

sigstore verify github action.py --cert-identity https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/release.yml@refs/tags/v2.0.1

...when, for many users, this more concise invocation is probably sufficient:

sigstore verify github action.py --repository sigstore/gh-action-sigstore-python
@woodruffw woodruffw added enhancement New feature or request component:cli CLI components labels Sep 28, 2023
@woodruffw
Copy link
Member Author

(This would be a backwards-compatible change, since --cert-identity would go from required to optional.)

@woodruffw woodruffw added this to the 3.0 milestone Dec 19, 2023
@haydentherapper
Copy link
Contributor

Are these equivalent identifiers? The former is a specific "builder" identity. This aligns to SLSA's model for identity, that trust is rooted in the builder. In terms of trust boundary however, you could argue that a maintainer can modify any workflow in a repository, so it's unnecessary to pin to a specific builder.

Preferring the more narrowly scoped identity, could we specify an additional flag for "releaser" or "builder" like release.yml@refs/tags/v2.0.1, and then combine repository with this flag to construct the identity?

@woodruffw woodruffw mentioned this issue May 13, 2024
Merged
@woodruffw
Copy link
Member Author

Sorry, I completely missed this comment before 😅

Are these equivalent identifiers? The former is a specific "builder" identity. This aligns to SLSA's model for identity, that trust is rooted in the builder. In terms of trust boundary however, you could argue that a maintainer can modify any workflow in a repository, so it's unnecessary to pin to a specific builder.

Yeah, I think the argument here would be that, especially in the absence of strongly pinned reusable workflows, there's very little auditable difference between a ref + workflow filename and the repository URI itself -- in both cases you need to resort to checking the exact build commit anyways, since the repository can move both the filename and symbolic ref around as it pleases.

(I suspect this is gh attestation's rationale as well, since they allow scoping as high as just the GitHub org without referencing the repo or workflow, etc.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:cli CLI components enhancement New feature or request
Projects
None yet
Milestone
3.0
Development

Successfully merging a pull request may close this issue.

cli: allow DSSE verification sigstore/sigstore-python
2 participants
@woodruffw @haydentherapper