Skip to content

sigstore, test: add CircleCI credential detection #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

sigstore, test: add CircleCI credential detection #72

wants to merge 3 commits into from

Conversation

woodruffw
Copy link
Member

See #31.

Signed-off-by: William Woodruff william@trailofbits.com

@woodruffw
sigstore, test: add CircleCI credential detection
f70f793 
See #31.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw added the component:signing Core signing functionality label May 6, 2022
@woodruffw woodruffw added this to the Stable release (1.0) milestone May 6, 2022
@woodruffw woodruffw self-assigned this May 6, 2022
@woodruffw woodruffw mentioned this pull request May 6, 2022
Closed
5 tasks
@woodruffw woodruffw requested review from di and tetsuo-cpp May 6, 2022 16:25
di
di reviewed May 6, 2022
View reviewed changes
@woodruffw
Copy link
Member Author

woodruffw commented May 6, 2022 via email

di
di previously approved these changes May 6, 2022
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM but I want to add a simple integration test for CircleCI before merging. I don't have the ability to do this for this repo anymore though, so hang tight while I figure out who can.

@woodruffw
Copy link
Member Author

Sounds good!

woodruffw
woodruffw commented May 9, 2022
View reviewed changes
@di di force-pushed the ww/circleci-ambient branch 7 times, most recently from cb60aec to 44e94db Compare May 9, 2022 19:40
@di di force-pushed the ww/circleci-ambient branch from 44e94db to bba3081 Compare May 9, 2022 19:46
@di
Copy link
Member

di commented May 9, 2022
edited
Loading

This seems like a dealbreaker. From https://circleci.com/docs/2.0/openid-connect-tokens/#format-of-the-openid-connect-id-token

aud: The audience. Currently, this is a fixed value "<organization-id>", a string containing a UUID that identifies the job’s project’s organization.

@di
Copy link
Member

di commented May 9, 2022

Marking this as blocked on https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens, please upvote that feature request if you need this feature.

@di di added the blocked label May 9, 2022
@woodruffw
Copy link
Member Author

Oh well; that's too bad. At least the changeset here is pretty small, so we'll be able to move this along rapidly once that gets unblocked.

@di
Copy link
Member

di commented May 10, 2022

When we're ready to merge this, we should go to https://app.circleci.com/settings/project/github/sigstore/sigstore-python/advanced and re-enable "GitHub Status Updates" before rebasing.

@di di modified the milestones: Stable release (1.0), Post-stable Jan 4, 2023
@di
Copy link
Member

di commented Jan 4, 2023

Given the slow movement here, dropping this out of the 1.0 milestone.

@jerdog
Copy link

jerdog commented Jun 6, 2023

CircleCI has just added customizable audience claims in OIDC tokens =)

https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management

@woodruffw
Copy link
Member Author

@jerdog fantastic, thanks for letting us know!

This PR is pretty stale at this point, but I'll see about refreshing it.

@woodruffw
Copy link
Member Author

NB: This will require upstream changes to id, since we've moved all ambient credential detection logic there.

@woodruffw woodruffw removed the blocked label Jun 6, 2023
@woodruffw woodruffw mentioned this pull request Jun 6, 2023
Closed
@woodruffw
Copy link
Member Author

Upstream tracking: di/id#61

@woodruffw
Copy link
Member Author

This has been done upstream. The only remaining item for CircleCI support in sigstore-python is to update our dependency on id, which is currently in the works.

@woodruffw woodruffw closed this Dec 12, 2023
@woodruffw woodruffw deleted the ww/circleci-ambient branch December 12, 2023 18:08
javanlacerda pushed a commit to javanlacerda/sigstore-python that referenced this pull request Feb 23, 2024
@woodruffw
workflows: scary name (sigstore#72)
c872a7d 
Signed-off-by: William Woodruff <william@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di left review comments

@tetsuo-cpp tetsuo-cpp Awaiting requested review from tetsuo-cpp

Assignees

@woodruffw woodruffw

Labels
component:signing Core signing functionality
Projects
None yet
Milestone
Post-stable
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @di @jerdog