Support fetching a Fulcio certificate with a managed key

[haydentherapper]

Description

Currently, if you provide a key, this implies that you don't want to use Fulcio. Even if you specify COSIGN_EXPERIMENTAL, the presence of the key flag will take priority.

As per https://blog.sigstore.dev/adopting-sigstore-incrementally-1b56a69b8c15, one of the incremental options was to provide a key, but still get a code signing certificate and upload to the transparency log. This is currently not supported. The simplest way I can think of to implement this is to simply add another flag, something like issue-certificate, that will fetch a certificate and include it when uploading to the log and creating the OCI annotations.

In combination with #2397, the incremental approaches would then look like:

1. (Currently supported) Sign with self managed keys - cosign import-key-pair --key key.pem, and cosign sign --key cosign.key artifact-path
2. (Supported using rekor-cli) Sign with self managed keys with auditability - cosign sign --key cosign.key --tlog-upload artifact-path
3. NEW - Self-managed keys in code signing certs with auditability - cosign sign --key cosign.key --tlog-upload --issue-certificate artifact-path

cc @asraa @priyawadhwa

[AnishShah]

Hi, I'm new to sigstore and I recently submitted the first PR #2500. I was wondering if this bug is available to work?

I have a question too. Fulcio as a CA takes in a certificate and an OIDC token and returns a signed certificate. So I'm not sure what --issue-certificate is supposed to do by itself? Do we need additional flags for a cert and an OIDC token ?

[haydentherapper]

I would recommend reading the attached blogpost for context. This change is to support using a provided key when certifying it with Fulcio, rather than Cosign generating an ephemeral key. You won’t add additional flags for passing the key, we have existing ones, and you won’t add flags for passing the certificate because it would be generated by fulcio. You only need a flag to signal that you want to fetch a certificate when providing a key.

[AnishShah]

Thanks. I had read the blogspot already. But had some confusion about about Fulcio.

Based on my investigation, it looks like cosign already has a few flags for OIDC - https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/sign.go#L106

We can leverage these flags and also we have a helper function to fetch code signing certificate - https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/fulcio/fulcio.go#L95.

Does this sound good ?

[haydentherapper]

The existing flags all serve other purposes, for example the one you linked is for fetching the OIDC token. This request is for changing the behavior of this function, called from sign CLIs like this. You shouldn't need to call GetCert directly.

I would recommend the following changes:

• Add a boolean flag, --issue-certificate, default of false, for each of the sign CLI commands
• Add a IssueCertificate boolean to KeyOpts (code). This value will get passed to SignerFromKeyOpts automatically. Set this value for each CLI command.
• Change SignerFromKeyOpts (code) to read that value - If it's set, call keylessSigner.
• In keylessSigner, you'll see where the Fulcio signers are called. I'd update the Fulcio signer to read the private key from the ko KeyOpts instead of generating it here, if the key is set in the options.

Does that sound good? Feel free to make any changes if you see a cleaner way to do the refactor!