You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What these providers going to do is that simply calling secret API to create or update the generated private key in the secret variables. Something like: [UPSERT] /repos/:owner/:repo/actions/secrets into $COSIGN_PRIVATE_KEY variable.
Current cosign github:// URI reference key generation feature
is not using the repository public key for secrets encryption.
The key reference is only added for Github secrets API request,
the actual secret is provisioned in clear text, is not encrypted
before it reaches the GitHub.
As a result, when the secret is decrypted when used in a codespace
(for example by Github Action) latter fails silently, and the
resulting secret value is empty.
Fix use libsodium sealed box to encrypt secrets before they reach
GitHub as per API guidelines.
Manual test:
Before fix
1) $cosign generate-key-pair github://[OWNER]/[PROJECT_NAME]
2) Run action that uses COSIGN_PASSWORD, COSIGN_PRIVATE_KEY secrets
Actual result
Secret sizes are equal to 0
After fix
1) $cosign generate-key-pair github://[OWNER]/[PROJECT_NAME]
2) Run action that uses COSIGN_PASSWORD, COSIGN_PRIVATE_KEY secrets
Actual result
Secret sizes are as provisioned by cosign
Fixes: sigstore#838
Signed-off-by: Mykola Kondratenko <[email protected]>
Description
Consider the following example:
What these providers going to do is that simply calling
secret
API to create or update the generated private key in the secret variables. Something like:[UPSERT] /repos/:owner/:repo/actions/secrets
into$COSIGN_PRIVATE_KEY
variable.GitHub: https://docs.github.com/en/rest/reference/actions#secrets
GitLab: https://docs.gitlab.com/ee/api/project_level_variables.html
P.S: I am not so sure if we should call
GitHub
andGitLab
as a KMS provider. What about-git
flag?^ @developer-guy @erkanzileli 🤗
The text was updated successfully, but these errors were encountered: