Skip to content

image: Add buildSignerURI for Fulcio workflow identity verification#625

Open
abyrne55 wants to merge 1 commit intocontainers:mainfrom
abyrne55:buildsigner-uri
Open

image: Add buildSignerURI for Fulcio workflow identity verification#625
abyrne55 wants to merge 1 commit intocontainers:mainfrom
abyrne55:buildsigner-uri

Conversation

@abyrne55
Copy link

@abyrne55 abyrne55 commented Feb 4, 2026

This PR adds support for verifying Sigstore signatures from CI workflows (e.g., GitHub Actions) by matching on the Fulcio BuildSignerURI certificate extension (OID 1.3.6.1.4.1.57264.1.9).

This addresses a gap where keyless Sigstore signatures created by automated CI workflows could not be verified via policy.json, since the existing subjectEmail field only matches email-based identities from interactive signing.

Closes #34

Security Model

What does a signature with buildSignerURI prove?

A valid signature means:

  1. The OIDC issuer (e.g., https://token.actions.githubusercontent.com) authenticated the signer
  2. The Fulcio CA issued a certificate binding that identity to a signing key
  3. The certificate's BuildSignerURI extension (Fulcio OID 1.3.6.1.4.1.57264.1.9) matches the policy-specified workflow URI exactly
  4. The signature was recorded in Rekor's immutable transparency log

This allows policies like: "Accept images signed by the release.yml workflow in myorg/myrepo on the main branch, authenticated via GitHub Actions OIDC."

Design Decisions

Decision Rationale
Match on OID 1.9, not SAN URI Fulcio can include multiple identities in a certificate's SAN field; matching the dedicated BuildSignerURI OID is semantically unambiguous.
Exact string matching No substring or regex matching — reduces misconfiguration risk.
Follows existing OID extraction pattern fulcioBuildSignerURIInCertificate mirrors fulcioIssuerInCertificate for consistency.

Example Configuration

{
  "type": "sigstoreSigned",
  "fulcio": {
    "caPath": "/etc/pki/containers/fulcio.sigstore.dev.pub",
    "oidcIssuer": "https://token.actions.githubusercontent.com",
    "buildSignerURI": "https://github.com/myorg/myrepo/.github/workflows/release.yml@refs/heads/main"
  },
  "rekorPublicKeyPath": "/etc/pki/containers/rekor.sigstore.dev.pub",
  "signedIdentity": {"type": "matchRepository"}
}

Testing

  • Unit tests for fulcioBuildSignerURIInCertificate (valid extraction, missing extension, duplicate extension, invalid ASN.1)
  • Unit tests for fulcioTrustRoot.validate() with new field combinations
  • Unit tests for policy JSON unmarshaling with buildSignerURI
  • Unit tests for certificate verification with buildSignerURI matching/mismatching
  • Manual integration test with Skopeo and a signed GHCR image - see test report

Related

@abyrne55 @claude
image: Add buildSignerURI for Fulcio workflow identity verification
c172218 
Add support for verifying Sigstore signatures from CI workflows (e.g.,
GitHub Actions) by matching on the Fulcio BuildSignerURI certificate
extension (OID 1.3.6.1.4.1.57264.1.9).

This addresses a gap where keyless Sigstore signatures created by
automated CI workflows could not be verified via policy.json, since
the existing subjectEmail field only matches email-based identities
from interactive signing.

The new buildSignerURI field:
- Extracts from the specific OID, not the SAN URI (avoiding ambiguity)
- Uses exact string matching (no substring or regex)
- Follows existing code patterns for OID extraction

Example policy.json configuration:

    "fulcio": {
        "caPath": "/etc/pki/containers/fulcio.sigstore.dev.pub",
        "oidcIssuer": "https://token.actions.githubusercontent.com",
        "buildSignerURI": "https://github.com/org/repo/.github/workflows/release.yml@refs/heads/main"
    }

Closes: containers#34

Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Anthony Byrne <abyrne@redhat.com>
@github-actions github-actions bot added the image Related to "image" package label Feb 4, 2026
@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Feb 11, 2026

@nalind @mtrmac WDYT?
LGTM, but I don't have in depth Fulcio knowledge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

image: Extend Fulcio signature acceptance options to support “workflow identity”

2 participants

@abyrne55 @TomSweeneyRedHat