policy.json BYOPKI signature verification API#2579
Conversation
QiWang19
changed the title
|
Hi @mtrmac , I’ve created this draft PR for the policy.json API change, could you take a look and provide your initial thoughts on the structure of the API update? |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Thanks! Looks good overall.
Earlier discussion openshift/enhancements#1658 .
Doing both the API and implementation in one PR works for me, having the API available but broken is not really helping anything.
QiWang19
force-pushed
the
byo-pki-verify
branch
2 times, most recently
from
b3a0606 to
f8585cd
Compare
QiWang19
changed the title
|
@mtrmac Could you please take a look? It's ready for review. I am unsure about how I’m handling the intermediate certificates. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Just a few-minute first pass — this looks very good. I didn’t read this carefully, and I skipped the tests completely, for now.
Combining the policy-provided and signature-provided intermediate certificates makes sense to me, but I’ll at least check what Cosign does.
|
Cc: @Honny1 as well — c/image/signature is a somewhat separate part of the codebase, and as security-critical with a lot of paranoia. Worth understanding the structure and idioms. |
QiWang19
force-pushed
the
byo-pki-verify
branch
from
f8585cd to
f70f17a
Compare
|
@mtrmac Do you think the PKI code needs a file like fulcio_cert_stub.go and should include build tags? I'm not fully clear on the purpose of this compile configuration. |
|
The Here, the only similar dependency seems to be |
I checked some cosign code, maybe I got lost in the code path, I did see it process the signature-provided intermediate certificates 🤔
|
|
@mtrmac could you review? |
QiWang19
force-pushed
the
byo-pki-verify
branch
from
f70f17a to
897b425
Compare
saschagrunert
left a comment
saschagrunert
left a comment
There was a problem hiding this comment.
Just two nits, otherwise LGTM
QiWang19
force-pushed
the
byo-pki-verify
branch
from
897b425 to
f020a87
Compare
|
@containers/image-maintainers can we get this merged? |
|
@mtrmac Could you review this PR? |
QiWang19
force-pushed
the
byo-pki-verify
branch
from
f020a87 to
c9ea5b9
Compare
|
Rebased with the base branch. |
|
now tracked in RUN-2436 |
@QiWang19 could you rebase it again? (Maybe this would help to get this merged 😄 ) |
QiWang19
force-pushed
the
byo-pki-verify
branch
from
c9ea5b9 to
5e5e968
Compare
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Looks very good overall, ~1.5 comment on the substance of the code; almost all are about testing or documentation.
QiWang19
force-pushed
the
byo-pki-verify
branch
3 times, most recently
from
24bc182 to
4c71319
Compare
|
@mtrmac PTAL |
QiWang19
force-pushed
the
byo-pki-verify
branch
2 times, most recently
from
7760cc2 to
a4aa6e3
Compare
|
As noted elsewhere, this is approved for RHEL 9.6/10.0 if this is merged and then backported into the c/image release-5.34 branch on or before Friday, February 28, 2024. The Jira cards for this work are: |
QiWang19
force-pushed
the
byo-pki-verify
branch
2 times, most recently
from
e799c45 to
8b7a0ec
Compare
|
rebased with the latest branch |
|
^^ replaced with RUN-2436 |
|
@mtrmac @QiWang19 really great that this is going to be released - thanks so much for pushing this on! Have a question regarding the support for timestamping authority CA Roots but will add it to containers/container-libs#214. |
QiWang19
force-pushed
the
byo-pki-verify
branch
from
8b7a0ec to
a3911e4
Compare
QiWang19
force-pushed
the
byo-pki-verify
branch
from
a3911e4 to
80bc666
Compare
QiWang19
force-pushed
the
byo-pki-verify
branch
from
80bc666 to
27e2898
Compare
Signed-off-by: Qi Wang <qiwan@redhat.com>
QiWang19
force-pushed
the
byo-pki-verify
branch
from
27e2898 to
a1af69a
Compare
@TomSweeneyRedHat I have filed #2725 for the backport. Also, containers/container-libs#190 can track adding the corresponding signing code. After that, no new options should be necessary in Skopeo/Podman, just updating c/image. |
|
@QiWang19 v5.34.1 release just dropped on c/image, FYI, and Happy Fri-YAY! |
|
@TomSweeneyRedHat @mtrmac Thanks! |
Bump c/image to v5.34.1 which will bring in BYOPKI signature verification per CRIO's request starting with: containers/image#2579 This is targeted for RHEL 9.6/10.0 ZeroDay. Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
5 participants
OCPNODE-2338