Fulcio certs: Encode the CI/CD "environment" in an extension? #1845
Comments
|
TIL, I wasn't aware of this feature! This is neat, would be a nice way to enforce multi-party review for releases. I'm supportive of adding this as an extension. cc @kommendorkapten @feelepxyz for GitHub's perspective. Let's also loop in the other CI providers on the documentation update. |
|
Interesting scope with multi-party review for releases! We have discussed the usage of the If we can document this properly, I think it may add value for more advanced users. The GitHub Actions environment feature is really good for managing releases and deployments, I'm using that for a ton of things. Getting the feature carried over to a signing certificate can definitely help in some scenarios. For things like OIDC based trusted publishing (or internally build and deployed software), a feature like environment makes a ton of sense, as the trust model is managed completely by a "single entity", which knows about the expected values. The downside of the environment claim for the general OSS use-case is that it's not as clear how it should be used during verification (as it's just an opaque producer defined string), but providing this option does not hurt, as the producer can specify what information is expected OOB to the consumers. |
Yep, this aligns with what I was thinking! It's essentially just an opaque string from the verifying side, but when used in conjunction with Trusted Publishing it's the missing piece towards aligning the two "identities" completely 🙂 |
Problem / value statement
The current Fulcio X.509 extensions include
Runner Environment, which corresponds to a GitHub Actions infrastructure scope, e.g.github-hostedorself-hostedor similar.However, there's another kind of "environment" in GitHub Actions (and possibly other CI/CD providers) as well: job within workflows can configure deployment environments, which have user-controlled names and can be mapped to deployment protection rules.
For example, here's an example of an environment (named
pypi) used in an individual workflow job:https://github.com/trailofbits/pypi-attestations/blob/464bd18b42b7ba207d6a77e9cca468116aa0406b/.github/workflows/release.yml#L39-L41
When a job references an environment, its OIDC claims include references to that environment. In particular, the
subclaim contains theenvironment:$NAMEclause, and there's also a separateenvironmentclaim that contains the environment name directly. Examples of this can be seen in GitHub's OIDC docs.At the moment, it looks like Fulcio issued certificates don't reflect these user-controlled deployment environments, probably because there's no dedicated OID/extension definition for them. For example, this recent log entry has no reference to the
pypienvironment it came from. This is true even for the subject, since Fulcio rewrites the SAN away from thesubclaim provided by the GitHub Actions OIDC credential.It would be useful to include the deployment environment's name in the Fulcio extensions for a few reasons:
Proposal
Deployment Environmentor similar (maybe there's a better name)Deployment Environmentas corresponding to theenvironmentclaim on GitHub Actions and GitLab CI/CD (where it appears to have similar semantics)CC @haydentherapper @segiddins as interested parties 🙂
The text was updated successfully, but these errors were encountered: