GitHub actions extensions #90
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Correctly build and consume CertificateSignature{} in all tests.
Change GithubVerifier{} tests for new behaviour: now owner and repo need
to match against github_workflow_repository instead of subject.
On GithubVerifier, validate using the `github_workflow_repository` extension in signature certificate, instead of the `subject`. The `github_workflow_repository` extension contains the repo of the GH Action workflow that was triggered, not the one that was called. For example in the case of consuming a reusable workflow `octocat/reusable-workflows-repo` in `octocat/example`, `github_workflow_repository` contains `octocat/example`. This protects against incorrectly validating signatures that have been performed in reusable workflows.
flavio
approved these changes
May 24, 2022
Comment on lines
245
to
248
| let github_workflow_repository = match &certificate_signature.github_workflow_repository { | ||
| Some(workflow_repository) => workflow_repository, | ||
| None => return Err(SigstoreError::VerificationConstraintError(format!("The certificate is missing the github_workflow_repository extension despite being a GitHub Action one: {}", signature_subject))), | ||
| }; |
There was a problem hiding this comment.
Nit, this can be simplified using something like that:
let github_workflow_repository = certificate_signature.github_workflow_repository
.ok_or_else(|| Err(SigstoreError:VerificationConstraintError("boom"))?;There was a problem hiding this comment.
true, thanks! done in ba6c6ab.
jvanz
approved these changes
May 24, 2022
|
tagged v0.7.4 in main. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
On GithubVerifier, validate using the
github_workflow_repositoryextension in signature certificate, instead of the
subject.The
github_workflow_repositoryextension contains the repo of the GHAction workflow that was triggered, not the one that was called. For
example in the case of consuming a reusable workflow
octocat/reusable-workflows-repoinoctocat/example,github_workflow_repositorycontainsoctocat/example.This protects against incorrectly validating signatures that have been
performed in reusable workflows.
Test
Passing unit tests, also tested locally with a policy-server consuming this, and public policies.