Clean up and match actual fragments. Don't base64 encode the rego policy. #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…icy. Signed-off-by: Ken Gordon <[email protected]>
anmaxvl
reviewed
Apr 11, 2024
|
It makes a fresh one every time you do a make clean. Otherwise they get stale, and the secrets police get on your case.
________________________________
From: Maksim An ***@***.***>
Sent: 11 April 2024 19:48
To: microsoft/cosesign1go ***@***.***>
Cc: Ken Gordon ***@***.***>; Author ***@***.***>
Subject: Re: [microsoft/cosesign1go] Clean up and match actual fragments. Don't base64 encode the rego policy. (PR #24)
@anmaxvl commented on this pull request.
________________________________
In pkg/cosesign1/Makefile<#24 (comment)>:
# Use a local linux build of the tool for the purposes of this Makefile - ie assume using in wsl.
# Usually sign1util.exe is a windows exe in /mnt/c/ContainerPlat aka c:\ContainerPlat but that is not certain.
sign1util: ../../cmd/sign1util/main.go *.go
go build ../../cmd/sign1util
…-infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util
- ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego.base64 -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero
- ./sign1util check -in $@
+#infra.rego.cose: infra.rego chain.pem leaf.private.pem sign1util
+# ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero
+# ./sign1util check -in $@
+
+%.rego.cose: %.rego chain.pem leaf.private.pem sign1util
+ ./sign1util create -algo ES384 -chain chain.pem -claims $< -key leaf.private.pem -out $@ -salt zero \
+ -feed acceuroperegistry.azurecr.io/infra:latest -content-type application/unknown+rego \
+ -issuer TestIssuer -feed TestFeed
can you actually define FEED and use the actual issuer DID?
...
-feed $(FEED) \
-issuer $(ISSUER_DID)
It took me some time to figure out that the issuer/feed were wrong in the fragment that I pushed.
—
Reply to this email directly, view it on GitHub<#24 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABI7RIF2OXGE7FPI44IIAH3Y43LJDAVCNFSM6AAAAABGCUNLXKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSOJVGAZTCOBYG4>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
I’ll look again, but we need there to be a private key available.
________________________________
From: Maksim An ***@***.***>
Sent: 12 April 2024 04:50
To: microsoft/cosesign1go ***@***.***>
Cc: Ken Gordon ***@***.***>; Author ***@***.***>
Subject: Re: [microsoft/cosesign1go] Clean up and match actual fragments. Don't base64 encode the rego policy. (PR #24)
@anmaxvl commented on this pull request.
________________________________
In pkg/cosesign1/Makefile<#24 (comment)>:
# Use a local linux build of the tool for the purposes of this Makefile - ie assume using in wsl.
# Usually sign1util.exe is a windows exe in /mnt/c/ContainerPlat aka c:\ContainerPlat but that is not certain.
sign1util: ../../cmd/sign1util/main.go *.go
go build ../../cmd/sign1util
…-infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util
- ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego.base64 -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero
- ./sign1util check -in $@
+#infra.rego.cose: infra.rego chain.pem leaf.private.pem sign1util
+# ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero
+# ./sign1util check -in $@
+
+%.rego.cose: %.rego chain.pem leaf.private.pem sign1util
+ ./sign1util create -algo ES384 -chain chain.pem -claims $< -key leaf.private.pem -out $@ -salt zero \
+ -feed acceuroperegistry.azurecr.io/infra:latest -content-type application/unknown+rego \
+ -issuer TestIssuer -feed TestFeed
It makes a fresh one every time you do a make clean. Otherwise they get stale, and the secrets police get on your case.
What I mean is you're doing this below:
ISSUER_DID = $(shell ./sign1util did-x509 -chain chain.pem -policy cn)
Can't you do the same (or reuse the value) for the %.rego.cose target? The -feed could be a makefile parameter or something, don't you think?
%.rego.cose: %.rego chain.pem leaf.private.pem sign1util
ISSUER_DID=$(shell ./sign1tuil did-x509 -chain chain.pem -policy cn)
./sign1util create -algo ...\
-feed $(FEED)
-issuer $(ISSUER_DID)
So, this way, I would be able to create any fragment (given that I've put correct infra.rego):
make FEED=myregistry.azurecr.io/my/fragment:latest
—
Reply to this email directly, view it on GitHub<#24 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABI7RIHKLUNGJTZPPJ42ZJDY45KYFAVCNFSM6AAAAABGCUNLXKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSOJVHAYTSOBSGA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
…ED= and ISSUER_DID overrides will work. Note though that the signing is by the (generated) private key and so setting the ISSUER_DID override will result in a badly formed fragment, as in the fragment case the issuer DID MUST match the cert chain. Signed-off-by: Ken Gordon <[email protected]>
Signed-off-by: Ken Gordon <[email protected]>
Change order so that the infra.rego.cose exists.
anmaxvl
previously approved these changes
Apr 18, 2024
anmaxvl
force-pushed
the
kegordo/Makefile-cleanup
branch
5 times, most recently
from
9346ecb
to
5f5935c
Compare
Remove references of `infra.rego.cose.base64` from Makefile and code. Add `AUTOPARSE_CHAIN` param to makefile, which will parse the pem certs automatically, otherwise test values will be set. Update tests expectations and parameters Signed-off-by: Maksim An <[email protected]>
anmaxvl
force-pushed
the
kegordo/Makefile-cleanup
branch
from
5f5935c
to
422c552
Compare
takuro-sato
approved these changes
Jul 10, 2024
There was a problem hiding this comment.
Is adding this intentional? Looks like it's not used by any code. I guess it can be used to try out %.rego.cose though.
anmaxvl
approved these changes
Jul 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Ken Gordon [email protected]
Don't keep printing an emply 'Doc' when an error is deteched in the cose file.
Clean up and match actual fragments. Don't base64 encode the rego policy.
Have the makefile extract the issuer from the self signed certs so we can always start with a clean set. This avoids storing certs, keys and also epiration trouble.