-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sigstore: add new verification policies for missing extensions #1004
sigstore: add new verification policies for missing extensions #1004
Conversation
99ab1f6
to
0bf44fc
Compare
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
0bf44fc
to
70e1ac4
Compare
sigstore/verify/policy.py
Outdated
@@ -93,6 +112,41 @@ def verify(self, cert: Certificate) -> None: | |||
) | |||
|
|||
|
|||
class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's call this V2 or something, since they're both technically DER and Fulcio refers to these as "V2":
class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy): | |
class _SingleX509ExtPolicyV2(_SingleX509ExtPolicy): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
/gcbrun |
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Facundo Tuesca <facu@tuesca.com>
/gcbrun |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@facutuesca if you want to send a follow-up PR for another RC release as well, that would be great 🙂
The missing extensions (and their OIDCs) are documented here.
This PR adds an extra base class for verification classes,
_SingleX509ExtPolicyV2
which is inherits from_SingleX509ExtPolicy
, but expects the extension being verified to have a DER-encoded value (as opposed to just the raw strings). See here for more details.This new base class is used for the extensions
1.3.6.1.4.1.57264.1.8
through1.3.6.1.4.1.57264.1.22
. Also, a new test is added that checks that a GHA-signed artifact can be verified using all (old and new) extensions.cc @woodruffw
Closes #425.