Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigstore: add new verification policies for missing extensions #1004

Merged
merged 3 commits into from
May 7, 2024
Merged

sigstore: add new verification policies for missing extensions #1004

merged 3 commits into from
May 7, 2024

Conversation

facutuesca
Copy link
Contributor

@facutuesca facutuesca commented May 7, 2024
edited
Loading

The missing extensions (and their OIDCs) are documented here.

This PR adds an extra base class for verification classes, _SingleX509ExtPolicyV2 which is inherits from _SingleX509ExtPolicy, but expects the extension being verified to have a DER-encoded value (as opposed to just the raw strings). See here for more details.

This new base class is used for the extensions 1.3.6.1.4.1.57264.1.8 through 1.3.6.1.4.1.57264.1.22. Also, a new test is added that checks that a GHA-signed artifact can be verified using all (old and new) extensions.

cc @woodruffw

Closes #425.

@facutuesca
sigstore: add new verification policies for missing extensions
70e1ac4 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
woodruffw
woodruffw reviewed May 7, 2024
View reviewed changes
sigstore/verify/policy.py Outdated
@@ -93,6 +112,41 @@ def verify(self, cert: Certificate) -> None:
)


class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's call this V2 or something, since they're both technically DER and Fulcio refers to these as "V2":

Suggested change
class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy):
class _SingleX509ExtPolicyV2(_SingleX509ExtPolicy):

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

@woodruffw
Copy link
Member

/gcbrun

@woodruffw woodruffw added component:verification Core verification functionality component:api Public APIs labels May 7, 2024
@facutuesca
Rename policy class
47f73f2 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
woodruffw
woodruffw reviewed May 7, 2024
View reviewed changes
pyproject.toml Outdated Show resolved Hide resolved
@facutuesca @woodruffw
Update pyproject.toml
936be65 
Co-authored-by: William Woodruff <william@yossarian.net>
Signed-off-by: Facundo Tuesca <facu@tuesca.com>
@woodruffw
Copy link
Member

/gcbrun

woodruffw
woodruffw approved these changes May 7, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@facutuesca if you want to send a follow-up PR for another RC release as well, that would be great 🙂

@woodruffw woodruffw enabled auto-merge (squash) May 7, 2024 16:00
@woodruffw woodruffw merged commit e136352 into sigstore:main May 7, 2024
23 checks passed
@woodruffw woodruffw deleted the add-new-x509-extensions branch May 7, 2024 16:01
@woodruffw woodruffw mentioned this pull request May 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

@facutuesca facutuesca

Labels
component:api Public APIs component:verification Core verification functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fulcio: Switch to new-style claim extensions
2 participants
@facutuesca @woodruffw