From 6fa837d3c9a8bb3d2c59526938a49ec736d3ae18 Mon Sep 17 00:00:00 2001 From: jedarden Date: Wed, 20 May 2026 19:36:09 -0400 Subject: [PATCH] docs(pdftract-8eo1): add verification note for cosign keyless signing implementation Status: Implementation COMPLETE, infrastructure blocker REMAINING Implemented: - cosign installed in pdftract-github-release.yaml and pdftract-docker-build.yaml - OIDC token projection configured with audience: sigstore - SHA256SUMS signing via cosign sign-blob - Docker image signing for all 3 variants (latest, ocr, full) - SLSA provenance attestation via cosign attest - README verification documentation complete Blocker: - OIDC issuer https://iad-ci-oidc.ardenone.com not in public Fulcio config - Requires PR to sigstore/fulcio OR self-hosted Fulcio (v1.1+) References: - https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml - Bead pdftract-8eo1 --- notes/pdftract-8eo1.md | 138 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 notes/pdftract-8eo1.md diff --git a/notes/pdftract-8eo1.md b/notes/pdftract-8eo1.md new file mode 100644 index 0000000..252c338 --- /dev/null +++ b/notes/pdftract-8eo1.md @@ -0,0 +1,138 @@ +# pdftract-8eo1: Cosign Keyless Signing Implementation + +## Date: 2026-05-20 + +## Current State Analysis + +### What's Already Implemented ✅ + +1. **cosign installed in signing workflows** + - `pdftract-github-release.yaml` uses `ghcr.io/sigstore/cosign:v2.2.3` + - `pdftract-docker-build.yaml` uses `ghcr.io/sigstore/cosign:v2.2.3` + +2. **OIDC token projection configured** + - Both templates use projected service account tokens with `audience: sigstore` + - Token mounted at `/var/run/secrets/tokens/oidc-token` + +3. **SHA256SUMS signing implemented** + - `pdftract-github-release.yaml` signs SHA256SUMS with `cosign sign-blob` + - Outputs: SHA256SUMS.sig, SHA256SUMS.pem + +4. **Docker image signing implemented** + - `pdftract-docker-build.yaml` signs all 3 variants (latest, ocr, full) + - Uses `cosign sign --yes` with digest references + +5. **SLSA provenance implemented** + - `pdftract-docker-build.yaml` attests with `cosign attest --type slsaprovenance` + - Provenance includes builder ID, build config, materials, metadata + +6. **README verification documentation** + - `/home/coding/pdftract/README.md` has complete "Verifying Releases" section + - Documents cosign verify-blob and cosign verify commands + +### Critical Issue Found ⚠️ + +**The OIDC issuer `https://iad-ci-oidc.ardenone.com` is NOT registered with public Sigstore Fulcio** + +From the [Fulcio config](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml), the public instance only accepts: +- Email issuers (accounts.google.com, etc.) +- CI providers (GitHub Actions, GitLab, Buildkite, CircleCI, Codefresh) +- Kubernetes issuers (EKS, GKE, AKS patterns) +- Chainguard identity issuers + +**Current workflow configuration:** +```yaml +COSIGN_OIDC_ISSUER: "https://iad-ci-oidc.ardenone.com" +COSIGN_CERTIFICATE_IDENTITY: "https://iad-ci-oidc.ardenone.com.*" +``` + +**This will FAIL** when cosign attempts to get a certificate from public Fulcio at `https://fulcio.sigstore.dev`. + +## Root Cause Analysis + +The iad-ci cluster (Rackspace Spot) has an OIDC issuer that is not in the public Fulcio trust domain. Unlike GitHub Actions (`token.actions.githubusercontent.com`) or major cloud providers' Kubernetes services, custom cluster issuers must be explicitly added to Fulcio's configuration. + +## Resolution Options + +### Option 1: Register with Public Fulcio (RECOMMENDED for v1.0) +1. Open PR against `sigstore/fulcio` to add iad-ci issuer +2. Subject: Add `https://iad-ci-oidc.ardenone.com` to trusted issuers +3. Must meet Fulcio's requirements for issuer trustworthiness +4. Timeline: Unknown (depends on Sigstore maintainer review) + +### Option 2: Self-Hosted Fulcio (DEFERRED to v1.1+ per bead description) +- Deploy private Fulcio instance in iad-ci cluster +- Configure cosign to use private Fulcio endpoint +- Requires additional infrastructure and maintenance + +### Option 3: Use Alternative OIDC Issuer (WORKAROUND) +- Check if Rackspace Spot provides a Kubernetes OIDC issuer matching Fulcio's meta-issuer patterns +- May require cluster configuration changes + +## Acceptance Criteria Status + +| Criterion | Status | Notes | +|-----------|--------|-------| +| cosign installed in signing templates | ✅ PASS | Both templates use ghcr.io/sigstore/cosign:v2.2.3 | +| OIDC issuer registered with Sigstore | ❌ FAIL | `https://iad-ci-oidc.ardenone.com` not in public Fulcio config | +| SHA256SUMS.sig produced | ✅ PASS | Implemented in pdftract-github-release.yaml | +| Docker images signed | ✅ PASS | All 3 variants signed in pdftract-docker-build.yaml | +| SLSA provenance attached | ✅ PASS | cosign attest in pdftract-docker-build.yaml | +| cosign verify-blob test | ⚠️ WARN | Cannot test until OIDC issuer is registered | +| cosign verify test | ⚠️ WARN | Cannot test until OIDC issuer is registered | +| README verification docs | ✅ PASS | Complete documentation in README.md | + +## Files Analyzed + +### In declarative-config: +- `/home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-github-release.yaml` + - Lines 439-508: sign-sums template + - Uses: `cosign sign-blob --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"` + +- `/home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-docker-build.yaml` + - Lines 317-449: sign-image template + - Uses: `cosign sign --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"` + - Uses: `cosign attest --type slsaprovenance` + +### In pdftract: +- `/home/coding/pdftract/README.md` + - Lines 50-110: "Verifying Releases" section + - Documents verification commands + +## Recommended Next Steps + +1. **Determine actual OIDC issuer URL for iad-ci cluster** + - Check cluster OIDC configuration + - May differ from `https://iad-ci-oidc.ardenone.com` + +2. **If using custom issuer**: Open PR with sigstore/fulcio + - Template: https://github.com/sigstore/fulcio/pull/new + - Add entry to `config/identity/config.yaml` under `oidc-issuers:` + - Include: issuer-url, client-id, type, contact, description + +3. **If using Kubernetes OIDC**: Match meta-issuer pattern + - Check if issuer matches `https://oidc.eks.*.amazonaws.com/id/*` (EKS) + - Check if issuer matches GKE/AKS patterns + - May need to configure cluster OIDC to use supported pattern + +4. **Test verification** once issuer is registered: + ```bash + # Test blob verification + cosign verify-blob \ + --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \ + --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \ + --signature SHA256SUMS.sig \ + SHA256SUMS + + # Test image verification + cosign verify \ + --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \ + --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \ + ghcr.io/jedarden/pdftract:X.Y.Z + ``` + +## Sources + +- [Sigstore Fulcio Configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) +- [Sigstore OIDC Documentation](https://docs.sigstore.dev/certificate_authority/oidc-in-fulcio/) +- [Cosign Keyless Signing Guide](https://docs.sigstore.dev/cosign/keyless/)