Fix verifying sigstore bundles for github trusted publishers (#5234)

We dont have the original jwt around any more, so re-create the policy based on whats intrinsic to the trusted publisher itself Signed-off-by: Samuel Giddins <[email protected]>
rubygems · Nov 14, 2024 · 9571ff1 · 9571ff1
1 parent a76accd
commit 9571ff1
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/app/models/oidc/trusted_publisher/github_action.rb b/app/models/oidc/trusted_publisher/github_action.rb
@@ -119,11 +119,22 @@ def to_access_policy(jwt)
     )
   end
 
-  def to_sigstore_identity_policy(ref)
-    Sigstore::Policy::Identity.new(
-      identity: "https://github.com/#{repository}/#{workflow_slug}@#{ref}",
-      issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
-    )
+  class SigstorePolicy
+    def initialize(trusted_publisher)
+      @trusted_publisher = trusted_publisher
+    end
+
+    def verify(cert)
+      ref = cert.openssl.find_extension("1.3.6.1.4.1.57264.1.14")&.value_der&.then { OpenSSL::ASN1.decode(_1).value }
+      Sigstore::Policy::Identity.new(
+        identity: "https://github.com/#{@trusted_publisher.repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
+        issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
+      ).verify(cert)
+    end
+  end
+
+  def to_sigstore_identity_policy
+    SigstorePolicy.new(self)
   end
 
   def name

diff --git a/app/models/pusher.rb b/app/models/pusher.rb
@@ -175,7 +175,7 @@ def verify_sigstore
     return true if attestations.blank?
     return notify("Pushing with an attestation requires trusted publishing", 400) unless api_key.trusted_publisher?
 
-    policy = api_key.owner.to_sigstore_identity_policy(api_key.oidc_id_token.jwt.dig("claims", "ref"))
+    policy = api_key.owner.to_sigstore_identity_policy
 
     artifact = Sigstore::Verification::V1::Artifact.new
     artifact.artifact = body.string

diff --git a/test/integration/push_test.rb b/test/integration/push_test.rb
@@ -25,8 +25,7 @@ class PushTest < ActionDispatch::IntegrationTest
     )
 
     @key = "543321"
-    api_key = create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: @key, scopes: %i[push_rubygem])
-    create(:oidc_id_token, api_key: api_key, jwt: { claims: { "ref" => "refs/heads/main" } })
+    create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: @key, scopes: %i[push_rubygem])
 
     signing_jwt = ["", {
       aud: "sigstore",