Feature/sigstore a2a signed card verification#2
Closed
DeanKelly751 wants to merge 7 commits into
Closed
Conversation
Implement Sigstore (sigstore-a2a) bundle verification for agent cards
using the sigstore-go library with production TUF root, certificate
identity validation, and Rekor transparency log verification.
**Core Verification**
- Verify SignedAgentCard bundles using sigstore-go verify.NewVerifier
- Validate Fulcio certificate identity against expected GitHub workflow
- Confirm Rekor transparency log inclusion
- Extract SLSA provenance (repository, commit SHA) from bundles
- Support both current (attestations) and legacy (verificationMaterial) formats
- Use JCS (RFC 8785) canonicalization for artifact bytes
**Configuration**
- CLI flags: --enable-sigstore-verification, --sigstore-audit-mode,
--sigstore-certificate-identity, --sigstore-certificate-oidc-issuer
- Per-AgentCard identity override via spec.sigstoreVerification
- Support custom TUF trust roots via ConfigMap
- Staging TUF support for testing (--sigstore-staging)
**Status & Observability**
- Status fields: sigstoreBundleVerified, sigstoreIdentity, rekorLogIndex,
slsaRepository, slsaCommitSHA
- SigstoreVerified condition with reasons: SigstoreVerified,
SigstoreVerificationFailed, SigstoreVerificationFailedAudit,
SigstoreBundleNotFound
- Kubernetes Events: SigstoreVerified (Normal), SigstoreVerificationFailed
(Warning), SigstoreBundleNotFound (Warning)
- Prometheus metrics: kagenti_sigstore_verification_total{result},
kagenti_sigstore_verification_duration_seconds,
kagenti_sigstore_trusted_root_age_seconds
**Enforcement**
- Audit mode: log failures without blocking reconciliation
- Enforcement mode: reject cards with invalid/missing bundles
- NetworkPolicy integration: verified label requires both JWS and Sigstore
- Graceful adoption: absent bundles (plain agent cards) marked as Absent
**CI Integration**
- GitHub Actions workflow: .github/workflows/sign-agent-card.yml
- Uses sigstore-a2a Python library to sign example agent card
- OIDC token from GitHub Actions for keyless signing
- Publishes signed card as workflow artifact
**Helm Chart**
- New values: sigstore.enabled, sigstore.auditMode,
sigstore.certificateIdentity, sigstore.certificateOIDCIssuer,
sigstore.staging, sigstore.trustedRoot
- Manager deployment updated to pass Sigstore flags
**Testing**
- 6 integration test cases: valid bundle, absent bundle, audit mode,
enforcement mode, SLSA extraction, per-card identity override
- Unit tests for parseProvenance, parseSignedAgentCardStructure
- Example signed agent card in examples/ci-agent-card.json
**Documentation**
- Manual E2E test guide for Sigstore verification
- Inline code comments for Sigstore initialization and verification flow
- Webhook configuration comment for local testing without certificates
**Code Review Fixes**
- Add kustomize patch for webhook namespace/object selectors (W-1 HIGH)
- Include Sigstore in NetworkPolicy label propagation (P-2 MEDIUM)
- Emit Kubernetes Events for all Sigstore paths (P-3 MEDIUM)
- Handle infrastructure errors in enforcement mode (M-3 MEDIUM)
- Clear Sigstore status when verification disabled (P-6 LOW)
- Remove unused RekorURL CRD field (CRD-1 LOW)
- Allow validation webhooks to be disabled via ENABLE_WEBHOOKS=false
Signed-off-by: dekelly <dekelly@redhat.com>
Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
DeanKelly751
force-pushed
the
feature/sigstore-a2a-signed-card-verification
branch
from
012469e to
8fee138
Compare
- Split long error messages in cmd/main.go to stay under 120 char limit - Add nolint:gocyclo directive for updateAgentCardStatus (TODO: refactor)
The extremely-dangerous-public-oidc-beacon action is failing due to GitHub's OIDC token service issuing tokens with <5min validity. This change: - Removes dependency on beacon action - Uses ambient OIDC credentials from GitHub Actions - Updates verification to check actual workflow identity Fixes OIDC token expiry failures in sign-agent-card workflow.
This reverts commit 92406fb.
Remove dependency on extremely-dangerous-public-oidc-beacon and use GitHub Actions' ambient OIDC credentials directly. This change: - Removes beacon action dependency - Uses GitHub Actions native OIDC (no --identity_token flag) - Updates verification to check actual workflow identity - Simplifies CI pipeline
Use curl to fetch OIDC token from GitHub Actions runtime instead of relying on beacon action. This approach: - Fetches token from $ACTIONS_ID_TOKEN_REQUEST_URL - Passes token to sigstore-a2a via --identity_token flag - Certificate will contain GitHub Actions workflow identity - No dependency on external beacon action
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.