Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amend HSM cert usage #151

Merged
merged 1 commit into from
Jul 26, 2021
Merged

Amend HSM cert usage #151

merged 1 commit into from
Jul 26, 2021

Conversation

lukehinds
Copy link
Member

@lukehinds lukehinds commented Jul 26, 2021
edited
Loading

There was an issue with invalid key types when verifying
cosign signed registry sigs with a fulcio cert generated using
the fuclio createca command

This PR makes the resulting createca generated cert have partity
to GCA generated certs

The result is a HSM / createca root cert can be used to both sign
and verify registry entries

image

Resolves: #150

Signed-off-by: Luke Hinds [email protected]

Amend HSM cert usage
5438d93 
There was an issue with invalid key types when verifying
cosign signed registry sigs with a fulcio cert generated using
the fuclio createca command

This PR makes the resulting createca generated cert have partity
to GCA generated certs

The result is a HSM / createca root cert can be used to both sign
and verify registry entries

Resolves: sigstore#150

Signed-off-by: Luke Hinds <[email protected]>
@cpanato cpanato added this to the 0.2.0 milestone Jul 26, 2021
@cpanato cpanato requested a review from dlorenc July 26, 2021 09:40
cpanato
cpanato reviewed Jul 26, 2021
View reviewed changes
cmd/app/createca.go
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
BasicConstraintsValid: true, MaxPathLen: 1,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe to make it clear put the MaxPathLen: 1, in a new line

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not so sure about that, they sit within the same Basic Constraints key

image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

humm, go it

@lukehinds lukehinds merged commit e36f98f into sigstore:main Jul 26, 2021
@cpanato cpanato modified the milestones: 0.2.0, 0.1.1 Jul 26, 2021
@avoidik avoidik mentioned this pull request Oct 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato left review comments

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.1
Development

Successfully merging this pull request may close these issues.

Issue with HSM generated key type
3 participants
@lukehinds @dlorenc @cpanato