feat: add support for fetching certs with github token

jyakobs · Feb 27, 2023 · a37eeb2 · a37eeb2
1 parent 8fc874d
commit a37eeb2
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 2 deletions.
diff --git a/.github/workflows/test-github-token.yml b/.github/workflows/test-github-token.yml
@@ -0,0 +1,30 @@
+permissions:
+ id-token: write # This is required for requesting the JWT
+ contents: read # This is required for actions/checkout
+name: test-github-token
+on: [push, pull_request]
+jobs:
+ test-token:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Install Go
+ uses: actions/setup-go@v2
+ with:
+ go-version: 1.19.x
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - uses: actions/cache@v2
+ with:
+ path: |
+ ~/go/pkg/mod
+ ~/.cache/go-build
+ key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+ restore-keys: |
+ ${{ runner.os }}-go-
+ - name: Build
+ run: make build
+
+ - name: Test
+ run: ./bin/witness run -l debug -s test -a github --enable-archivist -o test.json --fulcio https://v1.fulcio.sigstore.dev --fulcio-oidc-client-id https://oauth2.sigstore.dev/auth --fulcio-oidc-issuer sigstore --timestamp-servers https://freetsa.org/tsr -- echo "hello" > test.txt
+ - name: log output
+ run: cat test.json
diff --git a/cmd/keyloader.go b/cmd/keyloader.go
@@ -31,7 +31,7 @@ func loadSigners(ctx context.Context, ko options.KeyOptions) ([]cryptoutil.Signe
 
  //Load key from fulcio
  if ko.FulcioURL != "" {
- fulcioSigner, err := fulcio.Signer(ctx, ko.FulcioURL, ko.OIDCClientID, ko.OIDCIssuer, "")
+ fulcioSigner, err := fulcio.Signer(ctx, ko.FulcioURL, ko.OIDCClientID, ko.OIDCIssuer, ko.Token)
  if err != nil {
  err := fmt.Errorf("failed to create signer from Fulcio: %w", err)
  errors = append(errors, err)

diff --git a/docs/witness_run.md b/docs/witness_run.md
@@ -16,6 +16,7 @@ witness run [cmd] [flags]
  --fulcio string Fulcio address to sign with
  --fulcio-oidc-client-id string OIDC client ID to use for authentication
  --fulcio-oidc-issuer string OIDC issuer to use for authentication
+ --fulcio-token string Raw token to use for authentication
  -h, --help help for run
  -i, --intermediates strings Intermediates that link trust back to a root of trust in the policy
  -k, --key string Path to the signing key

diff --git a/docs/witness_sign.md b/docs/witness_sign.md
@@ -18,6 +18,7 @@ witness sign [file] [flags]
  --fulcio string Fulcio address to sign with
  --fulcio-oidc-client-id string OIDC client ID to use for authentication
  --fulcio-oidc-issuer string OIDC issuer to use for authentication
+ --fulcio-token string Raw token to use for authentication
  -h, --help help for sign
  -f, --infile string Witness policy file to sign
  -i, --intermediates strings Intermediates that link trust back to a root of trust in the policy

diff --git a/go.mod b/go.mod
@@ -14,6 +14,7 @@ require (
 require (
  github.com/coreos/go-oidc/v3 v3.5.0 // indirect
  github.com/jmespath/go-jmespath v0.4.0 // indirect
+ github.com/klauspost/compress v1.15.15 // indirect
  github.com/opencontainers/go-digest v1.0.0 // indirect
  github.com/segmentio/ksuid v1.0.4 // indirect
  github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect

diff --git a/go.sum b/go.sum
@@ -231,7 +231,8 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c=
+github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
+github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=

diff --git a/options/key.go b/options/key.go
@@ -24,9 +24,11 @@ type KeyOptions struct {
  FulcioURL string
  OIDCIssuer string
  OIDCClientID string
+ Token string
 }
 
 func (ko *KeyOptions) AddFlags(cmd *cobra.Command) {
+ cmd.Flags().StringVar(&ko.Token, "fulcio-token", "", "Raw token to use for authentication")
  cmd.Flags().StringVarP(&ko.KeyPath, "key", "k", "", "Path to the signing key")
  cmd.Flags().StringVar(&ko.CertPath, "certificate", "", "Path to the signing key's certificate")
  cmd.Flags().StringSliceVarP(&ko.IntermediatePaths, "intermediates", "i", []string{}, "Intermediates that link trust back to a root of trust in the policy")