Skip to content

policy.json BYOPKI signature verification API #2579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrmac merged 1 commit into from
Feb 19, 2025
Merged

policy.json BYOPKI signature verification API #2579

mtrmac merged 1 commit into from
Feb 19, 2025

Conversation

@QiWang19
Copy link
Member

@QiWang19 QiWang19 commented Sep 20, 2024
edited
Loading

@QiWang19 QiWang19 changed the title policy.json BYOPKI signature verification API WIP: policy.json BYOPKI signature verification API Sep 20, 2024
@QiWang19
Copy link
Member Author

QiWang19 commented Sep 20, 2024

Hi @mtrmac , I’ve created this draft PR for the policy.json API change, could you take a look and provide your initial thoughts on the structure of the API update?
I just want to make sure I’m on the right path before proceeding further. My plan is to merge both the API and code support in a single PR. What do you think?

mtrmac
mtrmac reviewed Sep 20, 2024
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good overall.

Earlier discussion openshift/enhancements#1658 .

Doing both the API and implementation in one PR works for me, having the API available but broken is not really helping anything.

@mtrmac mtrmac mentioned this pull request Sep 24, 2024
Open
@QiWang19 QiWang19 force-pushed the byo-pki-verify branch 2 times, most recently from b3a0606 to f8585cd Compare October 2, 2024 23:08
@QiWang19 QiWang19 changed the title WIP: policy.json BYOPKI signature verification API policy.json BYOPKI signature verification API Oct 3, 2024
@QiWang19 QiWang19 marked this pull request as ready for review October 3, 2024 02:12
@QiWang19
Copy link
Member Author

QiWang19 commented Oct 3, 2024

@mtrmac Could you please take a look? It's ready for review. I am unsure about how I’m handling the intermediate certificates.

mtrmac
mtrmac reviewed Oct 3, 2024
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few-minute first pass — this looks very good. I didn’t read this carefully, and I skipped the tests completely, for now.

Combining the policy-provided and signature-provided intermediate certificates makes sense to me, but I’ll at least check what Cosign does.

@mtrmac
Copy link
Collaborator

mtrmac commented Oct 3, 2024

Cc: @Honny1 as well — c/image/signature is a somewhat separate part of the codebase, and as security-critical with a lot of paranoia. Worth understanding the structure and idioms.

@QiWang19
Copy link
Member Author

QiWang19 commented Oct 9, 2024

@mtrmac Do you think the PKI code needs a file like fulcio_cert_stub.go and should include build tags? I'm not fully clear on the purpose of this compile configuration.

@mtrmac
Copy link
Collaborator

mtrmac commented Oct 9, 2024

The signature/*_stub.go files were added in #2180 , to avoid dependencies on sigstore Go modules not packaged (at the time??) in Debian.

Here, the only similar dependency seems to be github.com/sigstore/sigstore/pkg/cryptoutils, which is also required by no-stubbed policy_eval_sigstore.go; so this shouldn’t need a stub.

@QiWang19
Copy link
Member Author

QiWang19 commented Oct 25, 2024

Combining the policy-provided and signature-provided intermediate certificates makes sense to me, but I’ll at least check what Cosign does.

I checked some cosign code, maybe I got lost in the code path, I did see it process the signature-provided intermediate certificates 🤔

@QiWang19
Copy link
Member Author

QiWang19 commented Oct 25, 2024

@mtrmac could you review?

mtrmac
mtrmac reviewed Nov 4, 2024
View reviewed changes
saschagrunert
saschagrunert approved these changes Nov 5, 2024
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just two nits, otherwise LGTM

mtrmac
mtrmac reviewed Nov 5, 2024
View reviewed changes
@saschagrunert
Copy link
Member

saschagrunert commented Nov 19, 2024

@containers/image-maintainers can we get this merged?

@QiWang19 QiWang19 mentioned this pull request Nov 20, 2024
Merged
@QiWang19
Copy link
Member Author

QiWang19 commented Jan 7, 2025

@mtrmac Could you review this PR?

@QiWang19
Copy link
Member Author

QiWang19 commented Jan 8, 2025

Rebased with the base branch.

@dmitris
Copy link

dmitris commented Jan 27, 2025

OCPNODE-2338

now tracked in RUN-2436

@dmitris
Copy link

dmitris commented Jan 27, 2025

Rebased with the base branch.

@QiWang19 could you rebase it again? (Maybe this would help to get this merged 😄 )

mtrmac
mtrmac reviewed Feb 8, 2025
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good overall, ~1.5 comment on the substance of the code; almost all are about testing or documentation.

@QiWang19 QiWang19 force-pushed the byo-pki-verify branch 3 times, most recently from 24bc182 to 4c71319 Compare February 14, 2025 04:32
@QiWang19
Copy link
Member Author

QiWang19 commented Feb 14, 2025

@mtrmac PTAL

@QiWang19 QiWang19 force-pushed the byo-pki-verify branch 2 times, most recently from 7760cc2 to a4aa6e3 Compare February 17, 2025 18:08
@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Feb 17, 2025

As noted elsewhere, this is approved for RHEL 9.6/10.0 if this is merged and then backported into the c/image release-5.34 branch on or before Friday, February 28, 2024.

The Jira cards for this work are:
https://issues.redhat.com/browse/RHEL-79695 - RHEL 10
https://issues.redhat.com/browse/RHEL-79694 - RHEL 9.6

@QiWang19 QiWang19 force-pushed the byo-pki-verify branch 2 times, most recently from e799c45 to 8b7a0ec Compare February 17, 2025 22:15
@QiWang19
Copy link
Member Author

QiWang19 commented Feb 17, 2025

rebased with the latest branch

@dmitris
Copy link

dmitris commented Feb 18, 2025

OCPNODE-2338

^^ replaced with RUN-2436

@dmitris
Copy link

dmitris commented Feb 18, 2025

@mtrmac @QiWang19 really great that this is going to be released - thanks so much for pushing this on!

Have a question regarding the support for timestamping authority CA Roots but will add it to containers/container-libs#214.

mtrmac
mtrmac reviewed Feb 18, 2025
View reviewed changes
QiWang19
QiWang19 commented Feb 18, 2025
View reviewed changes
mtrmac
mtrmac reviewed Feb 18, 2025
View reviewed changes
mtrmac
mtrmac reviewed Feb 19, 2025
View reviewed changes
mtrmac
mtrmac approved these changes Feb 19, 2025
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Great work.

@mtrmac mtrmac merged commit 65e12ec into containers:main Feb 19, 2025
10 checks passed
This was referenced Feb 19, 2025
Open
Merged
@mtrmac
Copy link
Collaborator

mtrmac commented Feb 19, 2025

if this is merged and then backported into the c/image release-5.34 branch on or before Friday, February 28, 2024.

@TomSweeneyRedHat I have filed #2725 for the backport.

Also, containers/container-libs#190 can track adding the corresponding signing code. After that, no new options should be necessary in Skopeo/Podman, just updating c/image.

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Feb 28, 2025

@QiWang19 v5.34.1 release just dropped on c/image, FYI, and Happy Fri-YAY!

@QiWang19
Copy link
Member Author

QiWang19 commented Feb 28, 2025

@TomSweeneyRedHat @mtrmac Thanks!

TomSweeneyRedHat added a commit to TomSweeneyRedHat/common that referenced this pull request Feb 28, 2025
@TomSweeneyRedHat
[v0.62] Bump c/image to v5.34.1
ba63f05 
Bump c/image to v5.34.1 which will bring in BYOPKI signature
verification per CRIO's request starting with: containers/image#2579

This is targeted for RHEL 9.6/10.0 ZeroDay.

Signed-off-by: tomsweeneyredhat <[email protected]>
@renovate renovate bot mentioned this pull request Jul 26, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@mtrmac mtrmac mtrmac approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@QiWang19 @mtrmac @saschagrunert @dmitris @TomSweeneyRedHat