Trusted publishing: Support for CircleCI #13888
Comments
|
It also sounds like we shouldn't support CircleCI currently? Even if we resolve #13887 so that we verify that I think that means if we restrict |
|
Maybe? Although I think partial support for users that are able to just restrict to our audience would probably be better than no support at all. |
|
I'm personally torn on it, which is why I brought it up. My biggest concern is this would mean that it is impossible to use PyPI and sigstore together (though afaict sigstore isn't planning to support CircleCI until the shared list of audiences problem is addressed, so the question might be largely academic), which I think Trusted Publishes + sigstore is going to be our best in class solution for security in the future, so it feels kind of meh to support a platform that can't support what is likely to be our golden path? That being said, there's nothing inherently broken about it, so if people think it's worthwhile that's fine. I'm just worried about the fragility of a solution that relies on being the only thing someone wants to authenticate against. |
|
I wanted to post an update that CircleCI has recently rolled out support for generating ID token with custom audience claim at the job/step level. This unblocks anyone who needs a token restricted to a single audience and gets around the limitation of having to share multiple audiences in a single pipeline token. We've also added a reply in the original sigstore issue sigstore/fulcio#591 (comment). |
Per https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management, CircleCI now supports a customizable
audclaim which means we could support it as a trusted publisher.This is likely blocked on #13887 given that OIDC tokens from CircleCI might be intentionally shared across multiple third party providers.
The text was updated successfully, but these errors were encountered: