Release 2.2.2 break BYO PKI verification (trying to fetching CT Log Public key when it is not needed/available) #3426
Labels
bug
Something isn't working
Comments
|
Could you create the PR for this? |
|
yes i can create a PR for this issue and will update soon |
Merged
|
Created pull request |
|
@haydentherapper can you pls review the PR created for this issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Code change done under Issue 3415 has introduce a piece of code to fetch CT Log Public key even if user is providing --insecure-ignore-sct=true. Now in impacts the following use case.
Signer has a Local Instance of PKI and is using a Air gaped environment to generate signatures, so this means we can no use public instance of TUF, Rekor etc.
The Signer shares the signature and associated certificates and cert chain to its clients. the client have the Trusted root certificate from Signer to verify the signatures.
Now when verifier uses the Root Cert to verify the signature with the new code change cosign is trying to get the CT Log Public Key. Which is not needed in this use case and due to this verification fails.
Version : 2.2.2.
This code change has impacted BYO PKI case.
We are using our company PKI to generate signatures and attach those in registry. We pass the Root certificate to the Verifier and using the root certificate we are able to verify the Certificate chain -> Leaf cert -> Signature,
We dont use any of the Tlog and SCT feature as our server are working mostly in an Airgap mode no connection to external internet servers.
So the problem is that even we are passing the flags like "--insecure-ignore-sct=true --insecure-ignore-tlog=true" still cosign is trying to fetch the ctlog public key for verification which we dont want to use.
cosign verify harbor.demo-ncd.services.te0014-demo-ncd.dyn.nesc.net/ncd-orb/orbs/ncd-ncd_fp6_generic-799@sha256:c08f847db8877aeefa3852ae9ee471fa7c421be4089b855fd0e545d521e2d87c --certificate-identity-regexp='.' --certificate-oidc-issuer-regexp='.' --insecure-ignore-sct=true --insecure-ignore-tlog=true --cert-chain=rootCA.crt --verbose=true
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get https://tuf-repo-cdn.sigstore.dev/8.root.json: dial tcp 34.117.62.14:443: i/o timeout
remote status:{
"mirror": https://tuf-repo-cdn.sigstore.dev/,
"metadata": {}
}
main.go:74: error during command execution: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get https://tuf-repo-cdn.sigstore.dev/8.root.json: dial tcp 34.117.62.14:443: i/o timeout
remote status:{
"mirror": https://tuf-repo-cdn.sigstore.dev/,
"metadata": {}
}
The same result, if I provide the rootCA.crt file as an env variable:
export SIGSTORE_ROOT_FILE=/home/sanyi/cosign-2/rootCA.crt
cosign verify harbor.demo-ncd.services.te0014-demo-ncd.dyn.nesc.net/ncd-orb/orbs/ncd-ncd_fp6_generic-799@sha256:c08f847db8877aeefa3852ae9ee471fa7c421be4089b855fd0e545d521e2d87c --certificate-identity-regexp='.' --certificate-oidc-issuer-regexp='.' --insecure-ignore-tlog=true --insecure-ignore-sct=true --verbose=true
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get https://tuf-repo-cdn.sigstore.dev/8.root.json: dial tcp 34.117.62.14:443: i/o timeout
remote status:{
"mirror": https://tuf-repo-cdn.sigstore.dev/,
"metadata": {}
}
main.go:74: error during command execution: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get https://tuf-repo-cdn.sigstore.dev/8.root.json: dial tcp 34.117.62.14:443: i/o timeout
remote status:{
"mirror": https://tuf-repo-cdn.sigstore.dev/,
"metadata": {}
}
The code change done
https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go (209):
// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
if err != nil {
return fmt.Errorf("getting ctlog public keys: %w", err)
}
}
goes into the section to get CT Log Key if IgnoreSCT is false or the keylessVerification function return True.
As in my case i am using Keyless functionality for verify and dont want to use SCT but due to this cosign is still trying to fetch the ctlog public key, this has broken the existing running functionality for BYO PKI.
I propose to enhance this check to also see if user is not passing any CertChain in verify command else we should not go for CTLog Public Key if use is asked for ignore SCT.
The text was updated successfully, but these errors were encountered: