-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ctlog.config for creating certs, add managecaroots job, tests. #352
Conversation
960548d
to
ad4b786
Compare
88f505c
to
c4b918d
Compare
fa5cc22
to
a53d2a1
Compare
if err != nil { | ||
log.Fatalf("Failed to marshal new configuration: %v", err) | ||
} | ||
// Take out the public / private key from the secret since we didn't mess |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unclear on why these are removed from the config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, because the reconcilesecret only 'reconciles' the keys that are in this map. We pull them out of the map so that they are never modified by the run of this script.
https://github.com/sigstore/scaffolding/blob/main/pkg/secret/secret.go#L28
logging.FromContext(ctx).Fatalf("Failed to marshal fulcio Root cert %s cert: %w", fulcio.String(), err) | ||
} | ||
logging.FromContext(ctx).Infof("Got a root cert for fulcio Root cert %s", fulcio) | ||
// Strip the certificate begin/end marker strings since CTLog doesn't |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this accurate? https://github.com/sigstore/public-good-instance/blob/main/config/ctfe/root.pem shows that we did specify PEM headers. Or is this just how we store them in the ctlog config, and then add headers back later on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how they are being served from the logs:
vaikas@villes-mbp scaffolding % curl https://ctfe.sigstore.dev/test/ct/v1/get-roots | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1381 100 1381 0 0 4538 0 --:--:-- --:--:-- --:--:-- 4681
{
"certificates": [
"MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==",
"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
]
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah interesting, this is base64 encoded DER. I guess pem.Decode
handles headerless PEM?
} | ||
} | ||
} | ||
// Check that all the expected roots were found. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, if we're supporting third-party CAs, we would want to check that we've found all fulcio roots, but it might just be a subset of roots in the ctlog config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thought we might need that, so thanks for that use case :)
There's the --strict flag that we can then flip to false. For the tests, I wanted to make sure it was a precise match, but thought there would be other use cases.
https://github.com/sigstore/scaffolding/pull/352/files#diff-f3a6ec0f5f1577f486baea8af21fd6f52dc4a009ed193babaef0b758e09eb841R57
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Thanks for the review @haydentherapper I think I addressed all your comments, PTAL :) |
…/removing), tests. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
are in the CTLog trusted roots. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
fb707e9
to
dc1fa04
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Late LGTM, looks good!
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
createctconfig
#129 for discussion and motivationAddresses but does not fix: https://github.com/sigstore/public-good-instance/issues/524
Release Note
Documentation