Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for checking cert email against user config before signing. #246

Merged
merged 1 commit into from
Feb 23, 2023

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented Feb 21, 2023

Summary

This change adds a new config option: gitsign.matchCommitter. This option checks whether the certificate fetched matches the user configured email/name.

For human users, this generally means that the SAN email in the cert matches the user.email Git config option.

For non-email based identities (e.g. machine users), the SAN URI can be specified as the user name (since the URI isn't a valid email).

Gitsign requires at least one condition to match for the check to succeed.

This change does not enforce any constraints on verification, since this requires additional checking to know what IdP is considered valid.

Fixes #104

Release Note

  • Added gitsign.matchCommitter config option. This option checks whether the certificate fetched matches the user configured email/name.

Documentation

This change adds a new config option: gitsign.matchCommitter. This
option checks whether the certificate fetched matches the user
configured email/name.

For human users, this generally means that the SAN email in the cert
matches the `user.email` Git config option.

For non-email based identities (e.g.  machine users), the SAN URI can be
specified as the user name (since the URI isn't a valid email).

Gitsign requires at least one condition to match for the check to
succeed.

This change does *not* enforce any constraints on verification, since
this requires additional checking to know what IdP is considered valid.

Signed-off-by: Billy Lynch <[email protected]>
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool!! thanks for that!

@wlynch wlynch merged commit 38ef0f7 into sigstore:main Feb 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Verify: require cert to match committer?
3 participants