-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure additional certificate extensions for Buildkite #1903
Configure additional certificate extensions for Buildkite #1903
Conversation
@haydentherapper @feelepxyz I've had another swing at this. It's not mergable yet, but I'd value your feedback! A specific question I had while working on this: if Buildkite identity is now managed by the CIProvider type, can we rip out the Buildkite specific issuer - either in this PR or in a follow up? Or is it needed for backwards compatibility? Also: would you like this PR to update the table in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No additional tests are necessary if this is working locally! We'll roll this out to our staging environment first, fulcio.sigstage.dev
, for you to test against.
The Buildkite specific issuer should no longer be necessary. I was planning to remove all specific CI issuers as part of a 2.x release, waiting for backwards compatibility just in case someone has deployed a local instance.
Yes please! Thank you. |
Brilliant, thanks! I'll look at getting those two new claims into our tokens this coming week, then update this and mark it ready for review |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1903 +/- ##
==========================================
- Coverage 57.93% 49.25% -8.69%
==========================================
Files 50 70 +20
Lines 3119 5214 +2095
==========================================
+ Hits 1807 2568 +761
- Misses 1154 2413 +1259
- Partials 158 233 +75 ☔ View full report in Codecov by Sentry. |
c73a062
to
c317ac0
Compare
@haydentherapper this is now as functional enough to be mergable from our perspective. The new extensions are working in my local testing (see updated PR description), and I've fixed the URL construction to handle the integer I assume you might want a test for the changes in https://buildkite.com/docs/agent/v3/cli-oidc#claims-example-token-contents as an example token with our claims (not |
@yob I looked into this, the root cause is how the JSON unmarshaller works. The solution you have here seems sufficient. A small test would be great. |
Oh, I also wanted to pass along a link for being added to PyPI's list of accepted trusted publishers - Once this PR is in and rolled out, it should be straightforward to get Buildkite added to PyPI. |
neat, thanks! I've started chatting to the rubygems folks about their trusted publisher support too: rubygems/rubygems.org#5377 |
c317ac0
to
e22971d
Compare
@haydentherapper done! I ended up tweaking the float->string logic a little, so floats with a fractional part don't get truncated into an int. That's not required for Buildkite tokens (we have no claims with a float value), but it felt like the least surprising behaviour to leave for future travelers. I was tempted to adjust Maybe we could consider the |
The default behaviour of %v is fine in most cases: > bool: %t > int, int8 etc.: %d > uint, uint8 etc.: %d, %#x if printed with %#v > float32, complex64, etc: %g > string: %s > chan: %p > pointer: %p However Buildkite's build_number claim is an int in the JSON, but comes through as a Float64 and we need to render it into a string value as a regular int. Claim values that are floats with a fractional part will also be converted to a string, but their fractional part will be retained. This isn't required for Buildkite OIDC tokens, but feels like the least-surprising behaviour for future travelers. Signed-off-by: James Healy <james@buildkite.com>
The Buildkite Issuer was added in sigstore#890, prior to the efforts to standardise certificate extensions for CI providers, and sigstore#1074 calls for the Buildkite issuer to be updated to use the new extensions (where applicable). This is an early attempt to make those changes. I initially started these in sigstore#1307, however is is a new swing at it using the new CIProvider issuer (see sigstore#1729 and sigstore#1743). I've added the extensions that make the most sense in a Buildkite context, like RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the other extensions don't apply because we're not a code host as well, or need further discussion. I have not added tests yet. This is my first contribution to fulcio and I'm keen to confirm I'm heading in the right direction before adding tests. However, I have tested this locally with a Buildkite agent and OIDC token, and the certificate was issued as expected. I started a local fulcio like this: $ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml ... and signed git commits with gitsign. The relevant bits of the certificates look like: git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Subject Key Identifier: 36:D2:99:B9:BA:98:4B:3A:77:51:DC:08:05:83:12:9A:F4:EE:41:E5 X509v3 Authority Key Identifier: D2:41:21:29:23:AD:E9:27:69:6F:DB:85:6D:1B:3F:7E:A9:55:F3:02 X509v3 Subject Alternative Name: critical URI:https://buildkite.com/yob-opensource/oidc-signing-experiment 1.3.6.1.4.1.57264.1.1: https://agent.buildkite.com 1.3.6.1.4.1.57264.1.8: ..https://agent.buildkite.com 1.3.6.1.4.1.57264.1.11: ..self-hosted 1.3.6.1.4.1.57264.1.13: .(078a6dd4a32fa40592c21a40aedaf27105503140 1.3.6.1.4.1.57264.1.20: ..ui 1.3.6.1.4.1.57264.1.21: .khttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/52#01943a38-f93e-4355-abe8-90a30369c270 Signed-off-by: James Healy <james@buildkite.com>
e22971d
to
d5e7817
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay, this is great! Thanks for the contribution!
Following up on TestWorkflowPrincipalFromIDToken
SGTM.
@haydentherapper great timing, I was just thinking this morning about following this PR up 😁 I've just flipped the feature flag that will add the new |
Just getting a few other PRs merged, then I'll cut a release and ping you here once it's in staging. |
Summary
The Buildkite Issuer was added in #890, prior to the efforts to standardise certificate extensions for CI providers, and #1074 calls for the Buildkite issuer to be updated to use the new extensions (where applicable).
This is an early attempt to make those changes. I initially started these in #1307, however this is a new swing at it using the new CIProvider issuer (see #1729 and #1743).
I've added the extensions that make the most sense in a Buildkite context, like RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the other extensions don't apply because we're not a code host as well, or need further discussion.
I have tested this locally with a Buildkite agent and OIDC token, and the certificate was issued as expected. I started a local fulcio like this:
... and signed git commits with gitsign. The relevant bits of the certificates look like:
Fixes #1074
cc @sj26
Release Note
None.
Documentation
None