Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow providing root.json checksum instead of a full root.json file for cosign initialize #3946

Open
bkabrda opened this issue Nov 28, 2024 · 4 comments · May be fixed by #3953
Open

Allow providing root.json checksum instead of a full root.json file for cosign initialize #3946

bkabrda opened this issue Nov 28, 2024 · 4 comments · May be fixed by #3953
Labels
enhancement New feature or request

Comments

@bkabrda
Copy link
Contributor

bkabrda commented Nov 28, 2024

Description

Hi folks 👋 I have been working on a setup to run private Sigstore instances and one of the hurdles right now is how cosign initialize is executed by users. When providing the initial root via --root, they either:

  • Have to get the initial root.json through a side channel (it has to be pre-baked inside a CI image somehow, distributed through an IaC tool etc) or
  • They just reference it directly from its URL of the TUF repo for the --root argument (which arguably is not the safest thing to do)

Providing the initial root.json via a side channel is the better way to go, but it's also a bit inconvenient, because it requires distributing the whole file.

I think a more convenient way to handle this would be allowing to verify the checksum of the initial root instead of actually providing it. This would allow having a single C&P command to initialize cosign instead of having to distribute a file through a side channel. It would also make it more convenient for e.g. CI pipelines, where the checksum could be provided as a single env variable instead of having to bake in the whole root.json file into CI build images or individual repos.

In terms of implementation, I would propose adding a new --root-checksum argument, mutually exclusive with the existing --root argument. The format of the accepted value would be something like [[<root-file-name>:]<checksum-algo>:]<checksum>. Examples:

  • --root-checksum 1.root.json:sha512:abcde...
  • --root-checksum sha512:abcde... (implying 1.root.json as file to check)
  • --root-checksum abcde... (implying 1.root.json as file to check and sha512 as checksum algo to use)

I'm not sure if the root-file-name as part of the value is really necessary, so that might be omitted in the implementation, but maybe it's good to be able to override it?

If this makes sense, I would be happy to implement the feature and submit a PR. Please let me know what you think! 🙏

@bkabrda bkabrda added the enhancement New feature or request label Nov 28, 2024
@haydentherapper
Copy link
Contributor

I'm supportive of this, and would prefer this to be a requirement if a root is downloaded via URL, I agree that is quite unsafe. We can tee this up as a requirement for the next major release.

I'd lean towards simplicity, with --root-checksum being only a digest of the requested file from --root.

@bkabrda
Copy link
Contributor Author

bkabrda commented Dec 3, 2024

and would prefer this to be a requirement if a root is downloaded via URL

Agreed, I can definitely do that.

I'd lean towards simplicity, with --root-checksum being only a digest of the requested file from --root.

That's actually a great point, I will implement it using this approach.

Thanks for your input, I'll get to work :)

@vipulagarwal
Copy link

We can tee this up as a requirement for the next major release.

At present, it is a common (bad)practice to provide --root as a URL among private Sigstore users. It would be helpful to give early warning to the users that --root-checksum will become mandatory in the near future and then add this as a breaking change. It can be a similar warning that is thrown for image tag usage.

@bkabrda
Copy link
Contributor Author

bkabrda commented Dec 10, 2024

@vipulagarwal I agree, and that's exactly how I implemented it in #3953 - at first, using --root from URL without --root-checksum will emit a deprecation warning telling users to use the --root-checksum argument and that it will be mandated in future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants