Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using sigstore-go's API instead of Cosign #537

Open
haydentherapper opened this issue Jul 12, 2024 · 0 comments
Open

Using sigstore-go's API instead of Cosign #537

haydentherapper opened this issue Jul 12, 2024 · 0 comments

Comments

@haydentherapper
Copy link
Contributor

We, being the sigstore-go maintainers, have released a new version of sigstore-go with support for signing artifacts. We've been looking for good candidates in the ecosystem to try out sigstore-go, and I think gitsign would be a perfect choice. You're using Cosign's API currently for blob signing and not container signing, which means you should be able to migrate over to sigstore-go without any loss of functionality and a gain of fewer dependencies and a much cleaner API.

The main changes to note, beyond the API, are:

  • The usage of a new TUF client that uses a trust root bundle to fetch roots of trust. This also simplifies support for private Sigstore instances, which can provide trust root material via a single file rather than needing a TUF environment or setting multiple environment variables
  • Support for the new bundle format for verification material (cert and proof) and signature.

Here is an example of how to use the API to sign - https://github.com/sigstore/sigstore-go/blob/main/examples/sigstore-go-signing/main.go - and to verify - https://github.com/sigstore/sigstore-go/blob/main/cmd/sigstore-go/main.go.

If you were to make this change, at a glance over the code, you would roughly need to:

  • Fetch an identity token using Cosign's identity providers (we're talking about pulling these into a dedicated repo)
  • Change initialize to initialize the new TUF client
  • Provide the identity token and artifact to sigstore-go's signing API, output a bundle, and transform the bundle into the PKCS7 structure you store in the commit
    • You can let the signing API handle uploading to Rekor and fetching a cert from Fulcio, the API just needs an identity token
  • All verification can be replaced with sigstore-go's verification API, with the bundle as input (see 1 and 2)

You'd also need to decide if and how to support previously generated signatures/verification material. For verification, one suggestion would be to merge the "detached" verification material into a bundle that the sigstore-go API accepts, like what we're going to be doing in Cosign to output bundles - https://github.com/sigstore/cosign/pull/3752/files#diff-ed22d84833d1dbf7ab58a443e2105ce4769e2db0761f4d1c403ebc879957a3e1. I think this is no different than what you're already doing, switching between PKCS7 and Cosign structs.

If you wanna tackle this, let us know if you need any pointers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant