Comments (4)
GITHUB_TOKEN
which allows requesting certs from Fulcio. Not sure yet what we can do here, besides hardening our implementation and verifying that the keys don't leak in coredump, in logs, etc. Somehow we'd like to add scope to theGITHUB_TOKEN
to be one-time-use only, but that would require support from GitHub. Maybe something we can propose to them. Let me know if you have other ideas.
GITHUB_TOKEN
gets scrubbed from logs at least. Is there a way that we could leak it in a coredump? If something crashes we would have to extract the coredump somehow for it to leak no?
- The signing key: shall we enforce, during verification, that there exists a single rekor entry with the certificate?
I'm not sure I follow. How does verifying there exists a single rekor entry with the cert prevent leaks of the private signing key?
Maybe this issue is mostly subsumed by #897? Is there anything we need to do for this issue?
from slsa-github-generator.
GITHUB_TOKEN
which allows requesting certs from Fulcio. Not sure yet what we can do here, besides hardening our implementation and verifying that the keys don't leak in coredump, in logs, etc. Somehow we'd like to add scope to theGITHUB_TOKEN
to be one-time-use only, but that would require support from GitHub. Maybe something we can propose to them. Let me know if you have other ideas.
GITHUB_TOKEN
gets scrubbed from logs at least. Is there a way that we could leak it in a coredump? If something crashes we would have to extract the coredump somehow for it to leak no?
yes, it's hard to account for all scenario. It could also be a leak internal to GH, their SREs, etc.
- The signing key: shall we enforce, during verification, that there exists a single rekor entry with the certificate?
I'm not sure I follow. How does verifying there exists a single rekor entry with the cert prevent leaks of the private signing key?
if the token does not leak, but the key+cert does, someone could sign arbitrary data. Our generators sign a single blob with a cert, so we could detect the leak by verifying that only a single signature exists for each certificate.
from slsa-github-generator.
Our generators sign a single blob with a cert, so we could detect the leak by verifying that only a single signature exists for each certificate.
Ok, I see. Basically you want to detect if someone used our generator to sign a second malicious artifact after the original was created? If the key itself was leaked couldn't they theoretically just use it without using our generators and creating another rekor entry?
from slsa-github-generator.
not our generator, but the cert we used. We would detect the double sign for a single cert and find out. The assumption being that we do an online verification
from slsa-github-generator.
Related Issues (20)
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: generic push main upload-tag-name slsa3 HOT 1
- [e2e]: generic release main default slsa3 HOT 1
- [e2e]: go schedule main config-noldflags slsa3 HOT 1
- [e2e]: delegator-lowperms release main default slsa3 HOT 1
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: container-based schedule main default slsa3 HOT 1
- [e2e]: delegator-generic push main default slsa3 HOT 1
- [e2e]: container workflow_dispatch branch1 default slsa3 HOT 1
- [feature] Custom GITHUB_TOKEN for go `upload-assets` HOT 1
- [e2e]: generic tag main goreleaser-assets-multi-subjects slsa3 HOT 2
- [bug][CI] DCO app is down HOT 2
- Renovate lockfile maintenance
- [e2e]: go release main config-ldflags-noassets slsa3 HOT 1
- [e2e]: generic tag main assets slsa3 HOT 1
- [e2e]: nodejs push main node18 slsa3 HOT 1
- [e2e]: go workflow_dispatch branch1 config-ldflags slsa3 HOT 1
- [e2e]: go schedule main config-noldflags slsa3
- [e2e]: container-based tag main default slsa3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slsa-github-generator.