Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract all the GitHub related information from signature certs #65

Merged
merged 1 commit into from
May 24, 2022
Merged

Extract all the GitHub related information from signature certs #65

merged 1 commit into from
May 24, 2022

Conversation

flavio
Copy link
Member

@flavio flavio commented May 23, 2022

The certificates issued by Fulcio include some custom x509 extensions when cosign verify is ran inside of a GitHub Action.

Starting from this commit, all these extra attributes are extracted from the certificate and stored inside of the CertificateSignature object.

This allows the creation of more fine-tuned validation constraints for signatures produced inside of GitHub Actions.

@flavio @viccuad
Extract all the GitHub related information from signature certs
d7bf47e 
The certificates issued by Fulcio include some custom x509 extensions
when `cosign verify` is ran inside of a GitHub Action.

Starting from this commit, all these extra attributes are extracted from
the certificate and stored inside of the `CertificateSignature` object.

This allows the creation of more fine-tuned validation constraints for
signatures produced inside of GitHub Actions.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Co-authored-by: Víctor Cuadrado Juan <viccuad@users.noreply.github.com>
@flavio flavio added the enhancement New feature or request label May 23, 2022
@flavio flavio self-assigned this May 23, 2022
@flavio flavio requested a review from viccuad May 23, 2022 14:46
@flavio flavio merged commit a817a40 into sigstore:main May 24, 2022
@flavio flavio deleted the signature-layer-extract-all-the-github-related-extensions-from-fulcio-issued-certificate branch May 24, 2022 07:21
viccuad added a commit to viccuad/policy-fetcher that referenced this pull request May 24, 2022
@viccuad
build: Bump sigstore-rs to consume GHA cert extensions
989f39d 
Consume sigstore/sigstore-rs#65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viccuad viccuad viccuad approved these changes

Assignees

@flavio flavio

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@flavio @viccuad