Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cosign Keyless Sign OIDC Providers #3890

Closed
alecrevangelista opened this issue Sep 26, 2024 · 1 comment
Closed

Cosign Keyless Sign OIDC Providers #3890

alecrevangelista opened this issue Sep 26, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@alecrevangelista
Copy link

Hi there,

I've created a ticket in the past, but I have been looking into using keyless signing again. My problem is that I want to be able to use keyless signing completely from the command-line / terminal (without the need to login through a UI). So far, the cosign docs haven't shown how to do this with OIDC providers other than GCP... The example in the documentation is:

cosign sign --identity-token=$(gcloud auth print-identity-token --audiences=sigstore) gcr.io/user-vmtest2/demo

We do not use GCP so unfortunately this is not an option for us. Alternatively, I did try using my Amazon EKS Cluster as the OIDC provider (following this guide), and the Identity Token I received from that turned out to work with cosign just fine. The ID token from EKS took this form:

{
  "aud": [
    "sigstore"
  ],
  "exp": 1727329539,
  "iat": 1727328939,
  "iss": "https://oidc.eks.us-west-2.amazonaws.com/id/EKS_ID",
  "kubernetes.io": {
    "namespace": "MY_EKS_NAMESPACE",
    "pod": {
      "name": "MY_EKS_POD",
      "uid": "1234567899"
    },
    "serviceaccount": {
      "name": "MY_EKS_SERVICE_ACCOUNT",
      "uid": "1234567890"
    }
  },
  "nbf": 1727328939,
  "sub": "system:serviceaccount:MY_EKS_SERVICE_ACCOUNT"
}

I wanted to try and see if we can use Hashicorp Vault as an OIDC provider. Our Vault ID token takes the form:

{
  "aud": "sigstore",
  "email": "MY_TEAM@COMPANY.com",
  "exp": 1727332282,
  "iat": 1727328682,
  "iss": "https://stg.vault.company.com/v1/VAULT_NAMESPACE/identity/oidc",
  "namespace": "t9wNo",
  "nbf": "1727328682",
  "sub": "1234567890"
}

The public keys can be reached at https://stg.vault.COMPANY.com/v1/VAULT_NAMESPACE/identity/oidc/.well-known/keys. However, using this token unfortunately leads to the error:

cosign sign-blob --identity-token eyabc --output-certificate cert.txt --output-signature sig.txt test.txt --bundle cosign.bundle
Using payload from: test.txt
Generating ephemeral keys...
Retrieving signed certificate...
Error: signing test.txt: getting key from Fulcio: retrieving cert: not verified by identity provider
main.go:74: error during command execution: signing test.txt: getting key from Fulcio: retrieving cert: not verified by identity provider

Is there anything wrong with the Vault token claims? Is the Vault token not an option we can use? Are there any other options we can use for our use-case?
@alecrevangelista alecrevangelista added the enhancement New feature or request label Sep 26, 2024
@alecrevangelista alecrevangelista mentioned this issue Sep 26, 2024
Open
@haydentherapper
Copy link
Contributor

Closing as this is an issue with supported providers in Fulcio.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @alecrevangelista