Add support for Buildkite OIDC tokens #225
Conversation
| "https://oauth2.sigstage.dev/auth" => "email", | ||
| "https://token.actions.githubusercontent.com" => "job_workflow_ref" | ||
| "https://token.actions.githubusercontent.com" => "job_workflow_ref", | ||
| "https://agent.buildkite.com" => "pipeline_slug" |
There was a problem hiding this comment.
we actually need two claims to generate the full identity for a Buildkite fulcio certificate. I do that further down, which is a bit messy
yob
force-pushed
the
buildkite
branch
2 times, most recently
from
d2fcad3 to
62c1d06
Compare
|
Interesting that the smoketests are failing, I don't think I changed anything that would break GitHub Actions OIDC requests. On the topic of tests: there didn't seem to be unit tests for either of the files I changed, so I haven't added my own. Maybe the smoketests are the key automation that's being used to prevent regressions? If so, I'm open to ideas on the best way to test the Buildkite code paths. Smoke tests would require a Buildkite account which I'm sure we could arrange, but it'll be a complication to the suite. |
There was a problem hiding this comment.
It's probably a permissions thing, I wouldn't worry about it, but cc @woodruffw for thoughts. Currently, the GitHub codepath is exercised both by the smoke tests and the conformance test suite, so this would likely require a basic unit test for coverage
Add minimal support required to generate attestations for rubygems
trusted publisher support in a Buildkite job
1. Teach sigstore-cli gem how to detect when it's running in a Buildkite
job, and how to request a Buildkite OIDC token automatically
2. Teach sigstore gem how to parse an Buildkite OIDC token and generate
the identity that fulcio uses for the x509 common name in
certificates for Buildkite OIDC tokens
With these changes, the following command works in a Buildkite job:
bundle exec sigstore-cli sign <somefile> --bundle bundle.sigstore.json
I've tested this using the pipeline defined in a gist:
https://gist.github.com/yob/512f079e0586d49d125547ad548c08b5
The pipeline is private [1], however an example rekor log for a bundle
created using this branch is at [2]
[1] https://buildkite.com/yob-opensource/sigstore-ruby-test/
[2] https://search.sigstore.dev/?logIndex=176164097
Signed-off-by: James Healy <[email protected]>
|
|
||
| def buildkite_agent_found? | ||
| _, status = Open3.capture2("which buildkite-agent") | ||
| status.success? |
There was a problem hiding this comment.
using open3 from stdlib is a handy way to avoid using globals and still check the exist status, but I'm open to alternatives if you'd prefer
| end | ||
|
|
||
| def request_token | ||
| token, status = Open3.capture2("buildkite-agent oidc request-token --audience sigstore") |
There was a problem hiding this comment.
| token, status = Open3.capture2("buildkite-agent oidc request-token --audience sigstore") | |
| token, status = Open3.capture2("buildkite-agent", "oidc", "request-token", "--audience", "sigstore") |
| status.success? | ||
| end | ||
|
|
||
| def request_token |
There was a problem hiding this comment.
we can delete buildkite_agent_found? entirely if request_token is made to rescue Errno::ENOENT and Errno::EACCES and then re-raises AmbientCredentialError
Found the sign command in rubygems/release-gem#11 Based on sigstore/sigstore-ruby#225, the sigstore-cli sign command only works when run in GitHub Actions, right now. Locally, I got $ ruby -S gem exec sigstore-cli:0.2.1 sign slenips --bundle attestation.sigstore.json Fetching protobug-0.1.0.gem Fetching sigstore-cli-0.2.1.gem Fetching protobug_well_known_protos-0.1.0.gem Fetching protobug_googleapis_field_behavior_protos-0.1.0.gem Fetching protobug_sigstore_protos-0.1.0.gem Fetching sigstore-0.2.1.gem Failed to detect an ambient identity token, please provide one via --identity-token (Sigstore::Error::InvalidIdentityToken)
2 participants
Summary
Add minimal support required to generate attestations for rubygems trusted publisher support in a Buildkite job
With these changes, the following command works in a Buildkite job:
I've tested this using the pipeline defined in a gist: https://gist.github.com/yob/512f079e0586d49d125547ad548c08b5
The pipeline is private [1], however an example rekor log for a bundle created using this branch is at [2]
[1] https://buildkite.com/yob-opensource/sigstore-ruby-test/
[2] https://search.sigstore.dev/?logIndex=176164097
Fixes #224
Release Note