Merge pull request #1250 from fluxcd/cosign-identity-matching

cosign: allow identity matching for keyless verification

api/v1beta2/ocirepository_types.go

@@ -190,6 +190,28 @@ type OCIRepositoryVerification struct {
 	// trusted public keys.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// MatchOIDCIdentity specifies the identity matching criteria to use
+	// while verifying an OCI artifact which was signed using Cosign keyless
+	// signing. The artifact's identity is deemed to be verified if any of the
+	// specified matchers match against the identity.
+	// +optional
+	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
+}
+
+// OIDCIdentityMatch specifies options for verifying the certificate identity,
+// i.e. the issuer and the subject of the certificate.
+type OIDCIdentityMatch struct {
+	// Issuer specifies the regex pattern to match against to verify
+	// the OIDC issuer in the Fulcio certificate. The pattern must be a
+	// valid Go regular expression.
+	// +required
+	Issuer string `json:"issuer"`
+	// Subject specifies the regex pattern to match against to verify
+	// the identity subject in the Fulcio certificate. The pattern must
+	// be a valid Go regular expression.
+	// +required
+	Subject string `json:"subject"`
 }
 
 // OCIRepositoryStatus defines the observed state of OCIRepository

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -411,6 +411,32 @@ spec:
                   Chart dependencies, which are not bundled in the umbrella chart
                   artifact, are not verified.
                 properties:
+                  matchOIDCIdentity:
+                    description: MatchOIDCIdentity specifies the identity matching
+                      criteria to use while verifying an OCI artifact which was signed
+                      using Cosign keyless signing. The artifact's identity is deemed
+                      to be verified if any of the specified matchers match against
+                      the identity.
+                    items:
+                      description: OIDCIdentityMatch specifies options for verifying
+                        the certificate identity, i.e. the issuer and the subject
+                        of the certificate.
+                      properties:
+                        issuer:
+                          description: Issuer specifies the regex pattern to match
+                            against to verify the OIDC issuer in the Fulcio certificate.
+                            The pattern must be a valid Go regular expression.
+                          type: string
+                        subject:
+                          description: Subject specifies the regex pattern to match
+                            against to verify the identity subject in the Fulcio certificate.
+                            The pattern must be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
                   provider:
                     default: cosign
                     description: Provider specifies the technology used to sign the

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -164,6 +164,32 @@ spec:
                   public keys used to verify the signature and specifies which provider
                   to use to check whether OCI image is authentic.
                 properties:
+                  matchOIDCIdentity:
+                    description: MatchOIDCIdentity specifies the identity matching
+                      criteria to use while verifying an OCI artifact which was signed
+                      using Cosign keyless signing. The artifact's identity is deemed
+                      to be verified if any of the specified matchers match against
+                      the identity.
+                    items:
+                      description: OIDCIdentityMatch specifies options for verifying
+                        the certificate identity, i.e. the issuer and the subject
+                        of the certificate.
+                      properties:
+                        issuer:
+                          description: Issuer specifies the regex pattern to match
+                            against to verify the OIDC issuer in the Fulcio certificate.
+                            The pattern must be a valid Go regular expression.
+                          type: string
+                        subject:
+                          description: Subject specifies the regex pattern to match
+                            against to verify the identity subject in the Fulcio certificate.
+                            The pattern must be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
                   provider:
                     default: cosign
                     description: Provider specifies the technology used to sign the

docs/api/v1beta2/source.md

@@ -3319,6 +3319,71 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 trusted public keys.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>matchOIDCIdentity</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.OIDCIdentityMatch">
+[]OIDCIdentityMatch
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchOIDCIdentity specifies the identity matching criteria to use
+while verifying an OCI artifact which was signed using Cosign keyless
+signing. The artifact&rsquo;s identity is deemed to be verified if any of the
+specified matchers match against the identity.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<h3 id="source.toolkit.fluxcd.io/v1beta2.OIDCIdentityMatch">OIDCIdentityMatch
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification</a>)
+</p>
+<p>OIDCIdentityMatch specifies options for verifying the certificate identity,
+i.e. the issuer and the subject of the certificate.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>issuer</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Issuer specifies the regex pattern to match against to verify
+the OIDC issuer in the Fulcio certificate. The pattern must be a
+valid Go regular expression.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>subject</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Subject specifies the regex pattern to match against to verify
+the identity subject in the Fulcio certificate. The pattern must
+be a valid Go regular expression.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

docs/spec/v1beta2/helmcharts.md

@@ -253,11 +253,13 @@ For practical information, see
 **Note:** This feature is available only for Helm charts fetched from an OCI Registry.
 
 `.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+signatures. The field offers three subfields:
 
 - `.provider`, to specify the verification provider. Only supports `cosign` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
   the HelmChart, containing the Cosign public keys of trusted authors.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers. Please see
+   [Keyless verification](#keyless-verification) for more details.
 
 ```yaml
 ---
@@ -307,6 +309,18 @@ For publicly available HelmCharts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying  HelmCharts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -325,6 +339,9 @@ spec:
   version: ">=6.1.6"
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 ```yaml

docs/spec/v1beta2/ocirepositories.md

@@ -501,11 +501,13 @@ for more information.
 ### Verification
 
 `.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+signatures. The field offers three subfields:
 
 - `.provider`, to specify the verification provider. Only supports `cosign` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
   the OCIRepository, containing the Cosign public keys of trusted authors.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers. Please see
+   [Keyless verification](#keyless-verification) for more details.
 
 ```yaml
 ---
@@ -555,6 +557,18 @@ For publicly available OCI artifacts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying artifacts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -568,6 +582,9 @@ spec:
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 The controller verifies the signatures using the Fulcio root CA and the Rekor

internal/controller/helmchart_controller.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/opencontainers/go-digest"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	helmgetter "helm.sh/helm/v3/pkg/getter"
 	helmreg "helm.sh/helm/v3/pkg/registry"
 	helmrepo "helm.sh/helm/v3/pkg/repo"
@@ -1338,6 +1339,15 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel
 		}
 
 		// if no secret is provided, add a keyless verifier
+		var identities []cosign.Identity
+		for _, match := range obj.Spec.Verify.MatchOIDCIdentity {
+			identities = append(identities, cosign.Identity{
+				IssuerRegExp:  match.Issuer,
+				SubjectRegExp: match.Subject,
+			})
+		}
+		defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIdentities(identities))
+
 		verifier, err := soci.NewCosignVerifier(ctx, defaultCosignOciOpts...)
 		if err != nil {
 			return nil, err