Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cosign generate Azure key pair bug #1525

Merged
merged 14 commits into from Dec 4, 2023
Merged

Fix cosign generate Azure key pair bug #1525

merged 14 commits into from Dec 4, 2023

Conversation

malancas
Copy link
Contributor

@malancas malancas commented Nov 22, 2023
edited

Summary

Addresses the bug reported in sigstore/cosign#3094. That bug reports the inability to generate a key pair using the Azure Key Vault KMS. After some digging, I found the issue had to do with where the function that returns key pair's hash function is called.

This updates the Azure KMS so the key pair hash function is requested when signing and verifying, instead of retrieving it when the client is created.

This pull request also adds more logic around testing whether the a key pair with a given name already exists before attempting to generate one.

Release Note

Documentation

@malancas
handle the hash func later on, handle 404 response
55038d8 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
use shorthand
c87d759 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
add unit test for create key
14fa364 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
try counting GetKey call
ff83958 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
uncomment test
550093a 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
add more comments
7d6b606 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
remove redundant method definition
e32a6f1 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
clean up test and error messages
f98551c 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas malancas marked this pull request as ready for review November 28, 2023 17:58
malancas
malancas commented Dec 1, 2023
View reviewed changes
pkg/signature/kms/azure/signer.go
@@ -70,11 +70,6 @@ func LoadSignerVerifier(defaultCtx context.Context, referenceStr string) (*Signe
return nil, err
}

a.hashFunc, _, err = a.client.getKeyVaultHashFunc(defaultCtx)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing the bug reported in sigstore/cosign#3094. The call to getKeyVaultHashFunc would fail because it would try to get the hash function of a non-existent key.

@malancas
use the signer's default context
f374db8 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
comment
da9c3f3 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
Merge branch 'main' into cosign-generate-key-bug
8591377
@malancas
create key reference
6f3cb9f 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas malancas mentioned this pull request Dec 4, 2023
Open
@malancas
use new key ref
3837265 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas
err message
9db53c5 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@haydentherapper haydentherapper merged commit f6b3cde into sigstore:main Dec 4, 2023
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@malancas @haydentherapper