Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add asdf-gitsign #708

Merged
merged 1 commit into from
Nov 20, 2022
Merged

feat: add asdf-gitsign #708

merged 1 commit into from
Nov 20, 2022

Conversation

spencergilbert
Copy link
Contributor

@spencergilbert spencergilbert commented Nov 19, 2022
edited
Loading

Signed-off-by: Spencer Gilbert [email protected]

Summary

Added a plugin to manage gitsign a tool from sigstore used to sign Git commits with a valid OpenID Connect identity.

When I have the time I'm going to look at adding the rest of their CLI tools, hopefully being able to combine them into a similar "generic" plugin like the one for Hashicorp tools.

Checklist

  • CI tests are green. If you are using GitHub, you might want to use the plugin_test action from asdf-actions
  • asdf-plugins CI sanity checks are green on your PullRequest. Test locally with:
./test_plugin.sh --file plugins/<PLUGIN_FILE>

This commit was signed with gitsign! The commit signature can be inspected with:

git cat-file commit 23dcd77 | sed -n '/BEGIN/, /END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
# PKCS7: 
# ...
#     cert:
#         cert_info: 
#           version: 2
#           serialNumber: 0x60995DCB1E17345A7FEDBA372A76FD6C5EACFEED
#           signature: 
#             algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3)
#             parameter: <ABSENT>
#           issuer: O=sigstore.dev, CN=sigstore-intermediate
# ...
# Certificate:
# ...
#         Issuer: O=sigstore.dev, CN=sigstore-intermediate
#         Validity
#             Not Before: Nov 19 15:07:43 2022 GMT
#             Not After : Nov 19 15:17:43 2022 GMT
# ...
#         X509v3 extensions:
#             X509v3 Key Usage: critical
#                 Digital Signature
#             X509v3 Extended Key Usage: 
#                 Code Signing
# ...
#             X509v3 Subject Alternative Name: critical
#                 email:[email protected]
# ...

or with gitsign installed:

git verify-commit 23dcd77
# tlog index: 7423856
# gitsign: Signature made using certificate ID 0x30d0622f051df1f7d421db900a377d02269b57de | CN=sigstore-intermediate,O=sigstore.dev
# gitsign: Good signature from [[email protected]]
# Validated Git signature: true
# Validated Rekor entry: true

Note: GitHub's UI marks these signed commits as unverified for the time being, the issue tracking progress on that can be found at sigstore/gitsign#40

@spencergilbert
feat: add asdf-gitsign
23dcd77 
Signed-off-by: Spencer Gilbert <[email protected]>
@spencergilbert spencergilbert requested a review from a team as a code owner November 19, 2022 15:21
jthegedus
jthegedus approved these changes Nov 20, 2022
View reviewed changes
Copy link
Contributor

@jthegedus jthegedus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

@jthegedus jthegedus merged commit 51bc6ed into asdf-vm:master Nov 20, 2022
@jthegedus
Copy link
Contributor

Very interesting work from sigstore

@spencergilbert spencergilbert deleted the add-asdf-gitsign branch November 20, 2022 15:57
mbutov pushed a commit to mbutov/asdf-plugins that referenced this pull request May 6, 2024
@spencergilbert
feat: add asdf-gitsign (asdf-vm#708)
65abd65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jthegedus jthegedus jthegedus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spencergilbert @jthegedus