Skip to content

SigstoreSigner: public key should match signer #537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lukpueh opened this issue Mar 16, 2023 · 5 comments
Closed

SigstoreSigner: public key should match signer #537

lukpueh opened this issue Mar 16, 2023 · 5 comments
Labels
discussion Issues that require discussion

Comments

@lukpueh
Copy link
Member

lukpueh commented Mar 16, 2023

SigstoreSigner takes a signing token and a public key that contains the corresponding OIDC identity and issuer. They should be checked if they indeed correspond:

securesystemslib/securesystemslib/signer/_sigstore_signer.py

Lines 137 to 142 in 2acf318

def __init__(self, token: str, public_key: Key):
# TODO: Vet public key
# - signer eligible for keytype/scheme?
# - token matches identity/issuer?
self.public_key = public_key
self._token = token

Moreover, this relation could be facilitated by constraining oauth + oidc flow to use the identity and issuer set by the user when the token is created:

securesystemslib/securesystemslib/signer/_sigstore_signer.py

Lines 168 to 171 in 2acf318

# TODO: Restrict oauth flow to use identity/issuer from public_key
# TODO: Use secrets_handler for identity_token() secret arg
issuer = Issuer.production()
token = issuer.identity_token()

(currently, the sigstore proxy lets you choose from a list of providers and use arbitrary identities in the flow)
@lukpueh lukpueh mentioned this issue Mar 16, 2023
Closed
@ckilcoin
Copy link

Hi Lukas, I am interested in working on this issue as a first task to get more involved in the Secure Systems Lab. Do you think it would be good introductory work for the project?

@jku
Copy link
Collaborator

jku commented Mar 20, 2023

it's unfortunately not 100% clear what the right path is:

  • the info we want to verify is in the token...
  • but the token is also sort of a black box that we as users of sigstore-python just should not need to parse

I'm still hoping that sisgtore-python would add some functionality to make this easier (such as being able to call issuer.identity_token() with arguments issuer / identity), sigstore/sigstore-python#567 but it is not clear if that will happen or not

@jku
Copy link
Collaborator

jku commented Mar 20, 2023

if you're just looking for something to start with, #498 or #512 might be good

@lukpueh lukpueh added the discussion Issues that require discussion label Mar 14, 2024
@jku
Copy link
Collaborator

jku commented Mar 22, 2024

I believe this is now doable by comparing the public key to sigstore-pythons
IdentityToken.expected_certificate_subject and IdentityToken.expected_certificate_subject.identity

@jku
Copy link
Collaborator

jku commented Apr 18, 2024

this is now doable by comparing the public key to sigstore-pythons
IdentityToken.expected_certificate_subject and IdentityToken.expected_certificate_subject.identity

Actually this bit is now implemented (for interactive auth at least). I'll close this one.

@jku jku closed this as completed Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Issues that require discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jku @lukpueh @ckilcoin