Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support private PKI #34

Open
ianlewis opened this issue Apr 20, 2022 · 4 comments
Open

Support private PKI #34

ianlewis opened this issue Apr 20, 2022 · 4 comments
Labels
type:feature New feature or request

Comments

@ianlewis
Copy link
Member

ianlewis commented Apr 20, 2022
edited
Loading

It would be useful to support private PKI.
@steiza
Copy link

steiza commented Apr 20, 2022
edited
Loading

Yeah, so when I heard about this project I thought of it as made up of two steps:

  1. Taking workload identity information (like from GitHub Actions) and encoding it into an in-toto document with SLSA predicates

  2. Generating a signed attestation of the in-toto document, so it can be verified downstream

For (2), there are many advantages of using public sigstore infrastructure: individual projects don't have to manage PKI, there's a public transparency log, ... etc. The expectation is that this is what most open source projects would do.

But there might be cases where people don't want to use public sigstore infrastructure, maybe because the don't want their transparency logs to be public, or because they have their own PKI they way to use. In that situation, it would be nice if this project supported just generating the in-toto document (i.e. just step 1 - which they could then sign however they liked), or maybe even different options for signing other than public sigstore infrastructure (i.e. step 2).

That said, there is a lot of value in having an opinionated paved path, and maybe having different options for (2) adds more confusion than it's worth. There's nothing stopping people from implementing support for their own PKI as they need it!

@ianlewis
Copy link
Member Author

I think it's definitely something that could be considered and supported. In order to keep it simpler, maybe it's something we should wait on implementing until folks are specifically asking for it?

If we did implement it, we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has.

@ianlewis ianlewis added the type:feature New feature or request label May 18, 2022
This was referenced Jun 17, 2022
Open
Closed
@ianlewis ianlewis mentioned this issue Sep 12, 2022
Merged
@asraa
Copy link
Collaborator

asraa commented Sep 15, 2022

we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has.

The biggest challenge around here is verifying against the correct TUF root: folks would need to specify addresses for rekor/fulcio but also the trusted root CA and rekor public key they expect. That information would need to be pushed to the SLSA verifier as well.

I don't know the best solution for this yet. Do we specify the whole TUF root? On the generator side I suppose we only need to specify the rekor/fulcio, and the end-users need to know the TUF root.

@ianlewis
Copy link
Member Author

The biggest challenge around here is verifying against the correct TUF root

How do sigstore tools handle this currently?

@ianlewis ianlewis mentioned this issue Oct 3, 2022
Closed
@ianlewis ianlewis mentioned this issue Oct 27, 2022
Closed
@lcarva lcarva mentioned this issue May 3, 2024
Open
@ianlewis ianlewis mentioned this issue Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @steiza @asraa