Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Hellō Issuer #1683

Open
dickhardt opened this issue Jun 3, 2024 · 6 comments
Open

Add Hellō Issuer #1683

dickhardt opened this issue Jun 3, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@dickhardt
Copy link
Contributor

Add https://issuer.hello.coop as an OIDC Identity Provider for sigstore

For details on Hellō see https://hello.coop/ & https://hello.dev/
@dickhardt dickhardt added the enhancement New feature or request label Jun 3, 2024
@haydentherapper
Copy link
Contributor

Thanks for reaching out. To start, can you take a look at https://github.com/sigstore/fulcio/blob/main/docs/new-idp-requirements.md? This outlines the requirements that we ask of IDPs integrating with the public instance. Do you meet these requirements?

To confirm, based on your documentation, it looks like issued identity tokens are for email addresses?

@dickhardt dickhardt mentioned this issue Jun 3, 2024
Closed
@dickhardt
Copy link
Contributor Author

See PR #1684

Yes, Hellō meets those requirements.

Yes, ID Tokens are for an email address.

@haydentherapper
Copy link
Contributor

@dickhardt, sorry for the delay in rollout, we were in the middle of a configuration update. We've rolled out support in staging - can you test? https://docs.sigstore.dev/system_config/public_deployment/#staging-instance has instructions on testing against staging with Cosign, though you can also just test by sending an identity token to Fulcio.

@dickhardt
Copy link
Contributor Author

@haydentherapper

Tested -- works as expected.

Output from sign and verify below against staging using https://issuer.hello.coop issuer

% cosign sign --oidc-issuer "https://issuer.hello.coop" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" "ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"

Generating ephemeral keys...
Retrieving signed certificate...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
Your browser will now be opened to:
https://wallet.hello.coop/authorize?access_type=online&client_id=sigstore&code_challenge=TZp-Pkvt7zGPP5gPzuYnF5HBs0KNKeOmw685t_qjXGg&code_challenge_method=S256&nonce=2kRFILmCQ1H4Cv9vWINycb87nyu&redirect_uri=http%3A%2F%2Flocalhost%3A55174%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2kRFINNPlrdKqE4V4YH7DaHY6zp
Successfully verified SCT...
tlog entry created with index: 31389007
Pushing signature to: ttl.sh/c020b59f
√ ~ % cosign verify --rekor-url "https://rekor.sigstage.dev" "ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7" [email protected] --certificate-oidc-issuer=https://issuer.hello.coop

Verification for ttl.sh/c020b59f@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"ttl.sh/c020b59f"},"image":{"docker-manifest-digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://issuer.hello.coop","Bundle":{"SignedEntryTimestamp":"MEUCIB3+1Z874yN7N3keKEZUDpuR+awyYoJDuYqVWdfseV94AiEAjjFrG985lNzBiw7LY/0/CWZOQBx8EX1cCk2ZaFxw+UM=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzNjc3MzMzOGRhYjdjNjlmYjdlMzVjM2IxNGQ2NWM3MzE4MTBjMjUxYjdhODI4NTUwN2U4ZGNjMzI4ZTQ2NTg0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FTUNJRWQrVG04UmJsQlVpZWRJNnRuTXNMN2VkbkpDU2tHS1l1K212UExOZFB1VUFoOURPY1ZNZ0FuQ21HU2dlaFpobXlTaktGVldSU1NmR1ppL3BYM2doNjVVIiwicHVibGljS2V5Ijp7ImNvbnRlbnQiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VONVZFTkRRV3NyWjBGM1NVSkJaMGxWUTNaaGEwWlBiR2xuWlhaTFdtZExWemd2TTBkTGNWRTNNbVJSZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmQwOUVRVFZOYWtWNFRYcFJNVmRvWTA1TmFsRjNUMFJCTlUxcVJYbE5lbEV4VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVTViRWt4VDB0TlMwMXNZelJIZEVWSUwxa3hjVFZQV1hka1IybHRlRzByYjFacFltb0tWMFEyUkRFMGFVSnRhR05JWmxCek1YSnVaVTFaZUU4NVUwNVJXVTkxU0VSVVZXdEJVbTVGU25CbGNUVkZibkZUVFdGUFEwRlhOSGRuWjBaeFRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVk5PU3RYQ2xsNmEyRlFkR1ZVWlRKVldXWm5lVmxqTDNCb1JHWlJkMGgzV1VSV1VqQnFRa0puZDBadlFWVmpXVmwzY0doU09GbHRMelU1T1dJd1FsSndMMWd2TDNJS1lqWjNkMGwzV1VSV1VqQlNRVkZJTDBKQ2EzZEdORVZXV2tkc2FtRjVOVzlaV0VwclpFVkNiMXBYZUhOaWVUVnFZakk1ZDAxRFkwZERhWE5IUVZGUlFncG5OemgzUVZGRlJVZFhhREJrU0VKNlQyazRkbUZZVG5wa1YxWjVURzFvYkdKSGVIWk1iVTUyWWpOQmQwdFJXVXRMZDFsQ1FrRkhSSFo2UVVKRFFWRmlDa1JDYkc5a1NGSjNZM3B2ZGt3eWJIcGpNMVpzWTJrMWIxcFhlSE5pZVRWcVlqSTVkMDFKUjBwQ1oyOXlRbWRGUlVGa1dqVkJaMUZEUWtoelJXVlJRak1LUVVoVlFVdDZRemd6UjJsSmVXVk1hREpEV1hCWWJsRm1VMFJyZUd4blRIbHVSRkJNV0d0T1FTOXlTM05vYm05QlFVRkhVazlRTWtwT2QwRkJRa0ZOUVFwU2FrSkZRV2xDZVVKMldUVlJaMWRFU0UxVU16QnBOWFJNZW1oVU5FczBjRkJ5U0RWcmMyRnNiMEZ0TUdvdlVWbHpkMGxuWVVod2J6TlhkamR1VkdOc0NqVkJOVVpKVFd0VmVUTkRPVko0SzJaUUt6VXdSME5ST0VrelRUSXJkVmwzUTJkWlNVdHZXa2w2YWpCRlFYZE5SR0ZCUVhkYVVVbDRRVXBaVFVncldrZ0tXR3h0YkVaeWVFTlZiRFpPYzJFd1JHVmhRbEZpYlRocFNXcFNhWEpNY1ZkRVRIUlFjR1E0TUhsTVRscHdTRTh4Wm5vMlZURkxNM0Z1ZDBsM1pHWlBjQXBYWjA4NWFqQmphR0pPWms0d1psbDNka2hQY2tKaldHTnhVR0ZGZDFaUVMxbDRlRXBaY0dGSlZEVjJjemx5T1hCWFVrcE1aRmxLYWxFM1RFb0tMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifX19fQ==","integratedTime":1723238027,"logIndex":31388804,"logID":"d32f30a3c32d639c2b762205a21c7bb07788e68283a4ae6f42118723a1bea496"}},"Issuer":"https://issuer.hello.coop","Subject":"[email protected]"}},{"critical":{"identity":{"docker-reference":"ttl.sh/c020b59f"},"image":{"docker-manifest-digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://issuer.hello.coop","Bundle":{"SignedEntryTimestamp":"MEQCIBEpQm4JHnjtDESo8q+DMFeeiX2j6OWw/i7W0ar2jUfNAiBg0e6F0/vA4M0WSmKX5tUNpRrWAu9VtxLo21U3o+Uxvg==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzNjc3MzMzOGRhYjdjNjlmYjdlMzVjM2IxNGQ2NWM3MzE4MTBjMjUxYjdhODI4NTUwN2U4ZGNjMzI4ZTQ2NTg0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ1BKUWNqQ1YyRWk2K3BNNXMxdTJKZUdWejE0T0lkQkFjdkVqNjkvbVI1ekFpQVVZOXBqTCtMNmpHYWRxaUlkaWdsY2pBbzRvMVozT21BWUx2THZFSkdBNWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVWRU5EUVd4RFowRjNTVUpCWjBsVlJEQlVjM0pTTTFrMVptRTRUMHBIWlRKc1ZHMHhjR1Z3UkdVNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFUVRWTmFrVjVUVVJCZWxkb1kwNU5hbEYzVDBSQk5VMXFSWHBOUkVGNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVVyWlVaUGIzVkxabTlNYlRkblUwUXlWRVJvU0RBcmNYRTJSbTFDZEVkM2JUVnBia2NLYlRaeFQwZG1jbFV3ZEhGaGNITlpNVnB3YlM5RU9VODJaRGxyYkVwWGQyNWlWa0Z5Y0d4TlVWSnFXalZDZURJd1RVdFBRMEZYT0hkblowWnlUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZVZVhoeUNpOU1LMHMxTldacmEyYzNiMEowWkRSTlIxQmxZbEZWZDBoM1dVUldVakJxUWtKbmQwWnZRVlZqV1ZsM2NHaFNPRmx0THpVNU9XSXdRbEp3TDFndkwzSUtZalozZDBsM1dVUldVakJTUVZGSUwwSkNhM2RHTkVWV1drZHNhbUY1Tlc5WldFcHJaRVZDYjFwWGVITmllVFZxWWpJNWQwMURZMGREYVhOSFFWRlJRZ3BuTnpoM1FWRkZSVWRYYURCa1NFSjZUMms0ZG1GWVRucGtWMVo1VEcxb2JHSkhlSFpNYlU1MllqTkJkMHRSV1V0TGQxbENRa0ZIUkhaNlFVSkRRVkZpQ2tSQ2JHOWtTRkozWTNwdmRrd3liSHBqTTFac1kyazFiMXBYZUhOaWVUVnFZakk1ZDAxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpRS1FVaFpRVXQ2UXpnelIybEplV1ZNYURKRFdYQllibEZtVTBScmVHeG5USGx1UkZCTVdHdE9RUzl5UzNOb2JtOUJRVUZIVWs5UlRrMHlVVUZCUWtGTlFRcFNla0pHUVdsRlFXMTNTVm95VnpGcmRsQXdWQzgySzFGQk1FMVFURmxUVEVobVF6VndUSGRzYm5kMWNrcG1iVGhRTTNORFNVaFJiRFkyYTFaQldrUlRDbGhxZVc1MWIzSXdjVFl2VmsxRlJqUXhjVmxaY21vM1ZUaHJZWFI0YTNGRVRVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeVkwRk5SMUZEVFVKV1FWQkNNbkVLU1dRMGJISkxTVUZHWm01aFoxRkNhVzluTXl0NWVUa3paalZDTldSWFNFSnlPVGxKTUV0bllWcHlhekJEYjJZd2NqRkpZVFExWkRsUFowbDNTbTVuVmdvclEzRm1WVTVIWm05QlFqTTBWbWRWYjNaaGNsWXJXVnBLUjIxQ1UwZDNOMWxhTXpjNWIybE1hVVpaYWpKTGRFcEdjRzA0VmxkTGFEZ3haVUVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0=","integratedTime":1723238404,"logIndex":31389007,"logID":"d32f30a3c32d639c2b762205a21c7bb07788e68283a4ae6f42118723a1bea496"}},"Issuer":"https://issuer.hello.coop","Subject":"[email protected]"}}]

@dickhardt
Copy link
Contributor Author

@haydentherapper -- are there any issues with staging? when do you expect this to be deployed to production?

@haydentherapper
Copy link
Contributor

Timely ping, we just deployed to prod an hour ago! Can you test against prod?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dickhardt @haydentherapper