Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Gitpod workspaces #3601

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

ChevronTango
Copy link

Closes #2997

Summary
This PR adds a provider that, when run from within a Gitpod workspace, retrieves a token automatically from the command line, which means users do not have to do any additional auth checks or config.

This PR was previously open as #2998 however work on Gitpod's end stalled and it took some time before changes were implemented that made this viable. These updates mean some, though not all, tokens can now be used with Sigstore, and Gitpod are correctly populating the email_verified field as required by Fulcio. Part of the logic of this PR has been changed to make sure we only send through tokens if they have this field and will be valid.

Release Note
Documentation

ChevronTango and others added 2 commits March 15, 2024 16:30
Signed-off-by: Edward Brough <[email protected]>
Signed-off-by: Edward Brough <[email protected]>
@ChevronTango ChevronTango changed the title Feature/gitpod Support Gitpod workspaces Mar 15, 2024
@@ -0,0 +1,18 @@
//
// Copyright 2021 The Sigstore Authors.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Copyright 2021 The Sigstore Authors.
// Copyright 2024 The Sigstore Authors.

@@ -0,0 +1,72 @@
//
// Copyright 2021 The Sigstore Authors.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Copyright 2021 The Sigstore Authors.
// Copyright 2024 The Sigstore Authors.

)

func init() {
providers.Register("filesystem", &gitpod{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
providers.Register("filesystem", &gitpod{})
providers.Register("gitpod", &gitpod{})

// Check we are in a Gitpod Workspace
if env.Getenv(env.VariableGitpodWorkspaceId) != "" {

//Check we are able to generate tokens with a verified email address
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//Check we are able to generate tokens with a verified email address
// Check we are able to generate tokens with a verified email address

(golangci-lint run will catch this)

if env.Getenv(env.VariableGitpodWorkspaceId) != "" {

//Check we are able to generate tokens with a verified email address
output, err := exec.Command("gp", "idp", "token", "--audience", "example.org", "--decode").Output()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How necessary is this check, if the workspace variable is known to be set? The github provider, for example, only bothers to check the variable.

Is there a timeout option for this command?

All the providers are looped through when a new signer is created, so if this command doesn't exit quickly when not enabled, it will stall keyless signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Gitpod Provider Interface
2 participants