Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow custom root PEM #477

Merged
merged 6 commits into from
Jul 27, 2021
Merged

Allow custom root PEM #477

merged 6 commits into from
Jul 27, 2021

Conversation

lukehinds
Copy link
Member

@lukehinds lukehinds commented Jul 26, 2021
edited
Loading

This change allows use of a custom env COSIGN_ROOT for those
who wish to use their own root CA in an off public net fulcio
instance.

Ultimately we might want to do this with a flag, but it requires
a fair amount of rewrite, so this seems a good pragamtic bridge
without being to disruptive prior to 1.0

Resolves: #87

Signed-off-by: Luke Hinds [email protected]

Luke Hinds added 2 commits July 26, 2021 14:45
Allow custom root PEM
3f46c5f 
This change allows use of a custom env `COSIGN_ROOT` for those
who wish to use their own root CA in an off public net fulcio
instance.

Ultimately we might want to do this with a flag, but it requires
a fair amount of rewrite, so this seems a good pragamtic bridge
without being to disruptive prior to 1.0

Signed-off-by: Luke Hinds <[email protected]>
No need to convert type
72d2639 
Signed-off-by: Luke Hinds <[email protected]>
dlorenc
dlorenc reviewed Jul 26, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit on the env var name. We should also get this into the README.md somewhere.

pkg/cosign/fulcio/fulcio.go Outdated
@@ -46,6 +47,7 @@ const (
FlowNormal = "normal"
FlowDevice = "device"
FlowToken = "token"
altRoot = "COSIGN_ROOT"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe "SIGSTORE_ROOT_DIR" instead? These are really the roots for the sigstore project and aren't cosign specific.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree on both, I will add the other flags added too.

@cpanato cpanato added this to the v1.0.0 milestone Jul 26, 2021
Luke Hinds added 2 commits July 26, 2021 18:11
DIR to _FILE
410da20 
Signed-off-by: Luke Hinds <[email protected]>
Missed a _FILE
bf959c9 
Signed-off-by: Luke Hinds <[email protected]>
rebase from main
caeb263 
Signed-off-by: Luke Hinds <[email protected]>
@dlorenc dlorenc merged commit 14d1d0a into sigstore:main Jul 27, 2021
@renovate renovate bot mentioned this pull request Jul 28, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging this pull request may close these issues.

Managing/configuring root certs for fulcio
3 participants
@lukehinds @dlorenc @cpanato