Skip to content

push-attestation: Drop mTLS support and require PoP authentication #1185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ansasaki wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

push-attestation: Drop mTLS support and require PoP authentication #1185

ansasaki wants to merge 1 commit into from

Conversation

@ansasaki
Copy link
Contributor

@ansasaki ansasaki commented Feb 2, 2026

Remove the support for mTLS for agent (client) side authentication in agent-driven attestation.

The reasons do drop are:

  • The deployment is complex: requires distribution of certificates
  • It is error prone: giving certificates trusted by the verifier means giving access to administrative (tenant) endpoints, which should never happen

This can be reconsidered in future if better authentication/authorization mechanisms are available.

@ansasaki @claude
push-attestation: Drop mTLS support and require PoP authentication
4378576 
Remove the support for mTLS for agent (client) side authentication in
agent-driven attestation.

The reasons do drop are:
  - The deployment is complex: requires distribution of certificates
  - It is error prone: giving certificates trusted by the verifier means
    giving access to administrative (tenant) endpoints, which should
    never happen

This can be reconsidered in future if better
authentication/authorization mechanisms are available.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@codecov
Copy link

codecov bot commented Feb 2, 2026

Codecov Report

❌ Patch coverage is 76.66667% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.22%. Comparing base (263cdee) to head (4378576).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
keylime-push-model-agent/src/attestation.rs 76.92% 3 Missing ⚠️
keylime-push-model-agent/src/registration.rs 60.00% 2 Missing ⚠️
keylime-push-model-agent/src/main.rs 80.00% 1 Missing ⚠️
keylime/src/registrar_client.rs 75.00% 1 Missing ⚠️
Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 38.19% <6.89%> (+0.68%) ⬆️
upstream-unit-tests 66.29% <95.65%> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
keylime-push-model-agent/src/state_machine.rs 17.36% <ø> (ø)
keylime-push-model-agent/src/struct_filler.rs 20.32% <ø> (ø)
keylime/src/agent_registration.rs 92.40% <ø> (-0.54%) ⬇️
keylime/src/config/base.rs 87.56% <ø> (-0.47%) ⬇️
keylime/src/config/env.rs 84.21% <ø> (ø)
keylime/src/config/push_model.rs 60.00% <ø> (ø)
keylime/src/https_client.rs 68.18% <100.00%> (+12.62%) ⬆️
keylime-push-model-agent/src/main.rs 24.22% <80.00%> (-2.87%) ⬇️
keylime/src/registrar_client.rs 83.98% <75.00%> (-0.42%) ⬇️
keylime-push-model-agent/src/registration.rs 54.11% <60.00%> (-0.24%) ⬇️
... and 1 more

... and 25 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ansasaki
Copy link
Contributor Author

ansasaki commented Feb 2, 2026
edited
Loading

I believe the tests require the fixes in keylime/keylime#1841
The main reason is the missing session_lifetime configuration option in the verifier template
When it is not set, the authentication token expires immediately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ansasaki