Skip to content

Commit 1acc4b6

Browse files
wlynchwlynch
committed
Wire up timestamp authorities option to config.
Adds GITSIGN_TIMESTAMP_AUTHORITY config option for specifying a TSA URL in the gitsign config. Also adds an e2e test since this is a pain to test without a real TSA. Note: certain TSA (notably freetsa.org) do not work due to a bug. github/smimesign#118. Trying to fix upstream.
1 parent e8d1ed2 commit 1acc4b6

File tree

6 files changed

+49
-30
lines changed

6 files changed

+49
-30
lines changed

.github/workflows/e2e.yaml

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ jobs:
5252
go-version: 1.19
5353
check-latest: true
5454

55-
- name: Test Sign and Verify commit
55+
- name: Install Gitsign
5656
run: |
5757
set -e
5858
@@ -72,13 +72,31 @@ jobs:
7272
7373
# Verify tool is on our path
7474
gitsign -h
75+
- name: Test Sign and Verify commit
76+
run: |
77+
set -e
7578
7679
# Sign commit
7780
git commit --allow-empty -S --message="Signed commit"
7881
7982
# Verify commit
8083
git verify-commit HEAD
8184
85+
# Extra debug info
86+
git cat-file commit HEAD | sed -n '/BEGIN/, /END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
87+
- name: Test Timestamped Commit
88+
env:
89+
# See https://knowledge.digicert.com/generalinformation/INFO4231.html
90+
GITSIGN_TIMESTAMP_AUTHORITY: "http://timestamp.digicert.com"
91+
run: |
92+
set -e
93+
94+
# Sign commit
95+
git commit --allow-empty -S --message="Signed timestamp commit"
96+
97+
# Verify commit
98+
git verify-commit HEAD
99+
82100
# Extra debug info
83101
git cat-file commit HEAD | sed -n '/BEGIN/, /END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
84102
- name: Debug log

README.md

Lines changed: 21 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -58,28 +58,30 @@ $ git config --local gitsign.fulcio https://fulcio.example.com
5858

5959
The following config options are supported:
6060

61-
| Option | Default | Description |
62-
| ----------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
63-
| fulcio | https://fulcio.sigstore.dev | Address of Fulcio server |
64-
| logPath | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
65-
| clientID | sigstore | OIDC client ID for application |
66-
| issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
67-
| redirectURL | | OIDC Redirect URL |
68-
| rekor | https://rekor.sigstore.dev | Address of Rekor server |
69-
| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
61+
| Option | Default | Description |
62+
| ------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
63+
| fulcio | https://fulcio.sigstore.dev | Address of Fulcio server |
64+
| logPath | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
65+
| clientID | sigstore | OIDC client ID for application |
66+
| issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
67+
| redirectURL | | OIDC Redirect URL |
68+
| rekor | https://rekor.sigstore.dev | Address of Rekor server |
69+
| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
70+
| timestampAuthority | | Optional address of timestamping authority. If set, a trusted timestamp will be included in the signature. |
7071

7172
### Environment Variables
7273

73-
| Environment Variable | Sigstore<br>Prefix | Default | Description |
74-
| ------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
75-
| GITSIGN_CREDENTIAL_CACHE || | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |
76-
| GITSIGN_CONNECTOR_ID || | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
77-
| GITSIGN_FULCIO_URL || https://fulcio.sigstore.dev | Address of Fulcio server |
78-
| GITSIGN_LOG || | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
79-
| GITSIGN_OIDC_CLIENT_ID || sigstore | OIDC client ID for application |
80-
| GITSIGN_OIDC_ISSUER || https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
81-
| GITSIGN_OIDC_REDIRECT_URL || | OIDC Redirect URL |
82-
| GITSIGN_REKOR_URL || https://rekor.sigstore.dev | Address of Rekor server |
74+
| Environment Variable | Sigstore<br>Prefix | Default | Description |
75+
| --------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
76+
| GITSIGN_CREDENTIAL_CACHE || | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |
77+
| GITSIGN_CONNECTOR_ID || | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
78+
| GITSIGN_FULCIO_URL || https://fulcio.sigstore.dev | Address of Fulcio server |
79+
| GITSIGN_LOG || | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
80+
| GITSIGN_OIDC_CLIENT_ID || sigstore | OIDC client ID for application |
81+
| GITSIGN_OIDC_ISSUER || https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
82+
| GITSIGN_OIDC_REDIRECT_URL || | OIDC Redirect URL |
83+
| GITSIGN_REKOR_URL || https://rekor.sigstore.dev | Address of Rekor server |
84+
| GITSIGN_TIMESTAMP_AUTHORITY || | Optional address of timestamping authority. If set, a trusted timestamp will be included in the signature. |
8385

8486
For environment variables that support `Sigstore Prefix`, the values may be
8587
provided with either a `GITSIGN_` or `SIGSTORE_` prefix - e.g.

command_sign.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ func commandSign(cfg *config.Config) error {
6363

6464
sig, cert, err := git.Sign(ctx, rekor, userIdent, dataBuf.Bytes(), signature.SignOptions{
6565
Detached: *detachSignFlag,
66-
TimestampAuthority: *tsaOpt,
66+
TimestampAuthority: cfg.TimestampAuthority,
6767
Armor: *armorFlag,
6868
IncludeCerts: *includeCertsOpt,
6969
})

internal/config/config.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ type Config struct {
4848
// for more details.
4949
ConnectorID string
5050

51+
// Timestamp Authority address to use to get a trusted timestamp
52+
TimestampAuthority string
53+
5154
// Path to log status output. Helpful for debugging when no TTY is available in the environment.
5255
LogPath string
5356
}
@@ -83,6 +86,7 @@ func Get() (*Config, error) {
8386
out.RedirectURL = envOrValue(fmt.Sprintf("%s_OIDC_REDIRECT_URL", prefix), out.RedirectURL)
8487
out.Issuer = envOrValue(fmt.Sprintf("%s_OIDC_ISSUER", prefix), out.Issuer)
8588
out.ConnectorID = envOrValue(fmt.Sprintf("%s_CONNECTOR_ID", prefix), out.ConnectorID)
89+
out.TimestampAuthority = envOrValue(fmt.Sprintf("%s_TIMESTAMP_AUTHORITY", prefix), out.TimestampAuthority)
8690
}
8791

8892
out.LogPath = envOrValue("GITSIGN_LOG", out.LogPath)

internal/signature/sign.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,13 +90,13 @@ func Sign(ident Identity, body []byte, opts SignOptions) ([]byte, *x509.Certific
9090

9191
chain, err := ident.CertificateChain()
9292
if err != nil {
93-
return nil, nil, fmt.Errorf("failed to get idenity certificate chain: %w", err)
93+
return nil, nil, fmt.Errorf("failed to get identity certificate chain: %w", err)
9494
}
9595
// TODO: look into adding back support for opts.IncludeCerts here.
9696
// This was removed due to unstable ordering in the cert chain when
9797
// intermediates were included.
9898
if chain, err = certsForSignature(chain, 1); err != nil {
99-
return nil, nil, err
99+
return nil, nil, fmt.Errorf("failed to extract certificates from chain: %w", err)
100100
}
101101
if err := sd.SetCertificates(chain); err != nil {
102102
return nil, nil, fmt.Errorf("failed to set certificates: %w", err)

main.go

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"fmt"
2121
"io"
2222
"os"
23+
"runtime/debug"
2324

2425
"github.com/mattn/go-tty"
2526
"github.com/pborman/getopt/v2"
@@ -29,11 +30,6 @@ import (
2930
"github.com/sigstore/gitsign/internal/config"
3031
)
3132

32-
const (
33-
// TODO: Use fulcio as timestamp authority.
34-
defaultTSA = ""
35-
)
36-
3733
var (
3834
// Action flags
3935
helpFlag = getopt.BoolLong("help", 'h', "print this help message")
@@ -46,7 +42,6 @@ var (
4642
detachSignFlag = getopt.BoolLong("detach-sign", 'b', "make a detached signature")
4743
armorFlag = getopt.BoolLong("armor", 'a', "create ascii armored output")
4844
statusFdOpt = getopt.IntLong("status-fd", 0, -1, "write special status strings to the file descriptor n.", "n")
49-
tsaOpt = getopt.StringLong("timestamp-authority", 't', defaultTSA, "URL of RFC3161 timestamp authority to use for timestamping", "url")
5045
includeCertsOpt = getopt.IntLong("include-certs", 0, -2, "-3 is the same as -2, but ommits issuer when cert has Authority Information Access extension. -2 includes all certs except root. -1 includes all certs. 0 includes no certs. 1 includes leaf cert. >1 includes n from the leaf. Default -2.", "n")
5146

5247
// Remaining arguments
@@ -104,7 +99,7 @@ func wrapIO(cfg *config.Config, fn func(*config.Config) error) error {
10499
// Log any panics to ttyout, since otherwise they will be lost to os.Stderr.
105100
defer func() {
106101
if r := recover(); r != nil {
107-
fmt.Fprintln(ttyout, r)
102+
fmt.Fprintln(ttyout, string(debug.Stack()), r)
108103
}
109104
}()
110105

0 commit comments

Comments
 (0)