Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proxy: Verify *either* toplevel or target #2400

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Commits on Aug 15, 2024

  1. proxy: Move policycontext into global state

    I am not aware of a reason not to just cache this for the life
    of the proxy, like we do other global state.
    
    Prep for further changes.
    
    Signed-off-by: Colin Walters <[email protected]>
    cgwalters committed Aug 15, 2024
    Configuration menu
    Copy the full SHA
    5e88bb0 View commit details
    Browse the repository at this point in the history
  2. proxy: Verify *either* toplevel or target

    (Only compile tested locally)
    
    An issue was raised in that a current Red Hat internal build system
    was performing a signature just on the per-architecture manifest,
    but the current proxy code is expecting a signature on the manifest
    list.
    
    To quote Miloslav from that bug:
    
    > Podman signs both the per-platform items and the top level,
    > and enforces signatures only on per-platform items. cosign,
    > by default, signs only the top level (and has an option to
    > sign everything), I’m not sure which one it enforces.
    > I don’t immediately recall other platforms.
    
    We believe the current proxy code is secure since
    we always require signatures (if configured) on the manifest
    list, and the manifest list covers the individual manifests
    via sha256 digest.
    
    However, we want to support signatures only being present
    on the per-arch manifest too in order to be flexible.
    
    Yet, we can't hard switch to requiring signatures on the
    per-arch manifests as that would immediately break anyone
    relying on the current behavior of validating the toplevel.
    
    Change the logic here to:
    
    - Verify signature on the manifest list, and cache the error (if any)
    - Fetch the manifest
    - Verify signature on the manifest
    - Allow if *either* signature was accepted; conversely, only error
      if signature validation failed on *both* the manifest list and
      manifest
    
    This also switches things to cache the manifest upfront instead
    of doing it lazily on `GetManifest/GetConfig`; in practice
    callers were always immediately requesting those anyways.
    The use case of just fetching blobs exists (e.g. to resume
    an interrupted fetch), but is relatively obscure and
    in general I think it's good to re-verify signatures on
    each operation.
    
    Signed-off-by: Colin Walters <[email protected]>
    cgwalters committed Aug 15, 2024
    Configuration menu
    Copy the full SHA
    21bf7d8 View commit details
    Browse the repository at this point in the history