Implement Credential Caching #75

wlynch · 2022-06-16T17:20:28Z

Summary

This introduces a socket based credential cache to allow caching of keys
so that users do not need to go through the OIDC flow multiple times
for batch operations (e.g. rebases).

Credentials are keyed to git working directories so that different repos can
cache different identities, and credentials are never directly stored to disk.

Signed-off-by: Billy Lynch billy@chainguard.dev

Ticket Link

Fixes #21

Release Note

Adds gitsign-credential-cache: an optional credential cache for reusing keys for multiple signing requests.

cmd/gitsign-credential-cache/README.md

cmd/gitsign-credential-cache/main.go

go.mod

internal/fulcio/identity.go

This introduces a socket based credential cache to allow caching of keys so that users do not need to go through the OIDC flow multiple times for batch operations (e.g. rebases). Credentials are keyed to git working directories so that different repos can cache different identities, and credentials are never directly stored to disk. Signed-off-by: Billy Lynch <billy@chainguard.dev>

Signed-off-by: Billy Lynch <billy@chainguard.dev>

cmd/gitsign-credential-cache/README.md

Signed-off-by: Billy Lynch <billy@chainguard.dev>

znewman01

LGTM! Only blocking comment is about permissions of the socket

cmd/gitsign-credential-cache/main.go

internal/cache/client.go

internal/cache/service.go

- Return CertSignerVerifier - Move static values to const - Use XDG_CACHE_DIR for user data directory. Signed-off-by: Billy Lynch <billy@chainguard.dev>

Signed-off-by: Billy Lynch <billy@chainguard.dev>

imjasonh

Let's do it!

When this goes in I'll try it out for a few days and see if anything breaks. 🤞

wlynch requested review from imjasonh and znewman01 June 16, 2022 17:20

imjasonh reviewed Jun 16, 2022

View reviewed changes

cmd/gitsign-credential-cache/README.md Outdated Show resolved Hide resolved

cmd/gitsign-credential-cache/main.go Outdated Show resolved Hide resolved

go.mod Outdated Show resolved Hide resolved

internal/fulcio/identity.go Outdated Show resolved Hide resolved

wlynch added 5 commits June 16, 2022 15:46

Remove grpc in favor of net/rpc.

8777df5

Signed-off-by: Billy Lynch <billy@chainguard.dev>

Update README.md with more warning about when not to use the cache.

1239c68

Signed-off-by: Billy Lynch <billy@chainguard.dev>

Remove unused code, remove usage of cosign/fulcioroots.

1c52e4a

Signed-off-by: Billy Lynch <billy@chainguard.dev>

Add missing license headers.

e088ce6

Signed-off-by: Billy Lynch <billy@chainguard.dev>

wlynch force-pushed the sockets branch from bfc19b1 to e088ce6 Compare June 16, 2022 19:47

wlynch requested a review from imjasonh June 16, 2022 19:47

wlynch added 3 commits June 16, 2022 15:52

Fix lint errors.

e041e2e

Signed-off-by: Billy Lynch <billy@chainguard.dev>

Use filepath.Join instead of simple string append.

591fd9b

Signed-off-by: Billy Lynch <billy@chainguard.dev>

go mod tidy

6b03ee4

Signed-off-by: Billy Lynch <billy@chainguard.dev>

imjasonh reviewed Jun 17, 2022

View reviewed changes

cmd/gitsign-credential-cache/README.md Outdated Show resolved Hide resolved

cmd/gitsign-credential-cache/README.md Outdated Show resolved Hide resolved

Update gitsign-credential-cache README.md

8e266a1

Signed-off-by: Billy Lynch <billy@chainguard.dev>

wlynch requested a review from imjasonh June 21, 2022 21:15

imjasonh previously approved these changes Jun 22, 2022

View reviewed changes

znewman01 suggested changes Jun 22, 2022

View reviewed changes

cmd/gitsign-credential-cache/main.go Outdated Show resolved Hide resolved

cmd/gitsign-credential-cache/main.go Show resolved Hide resolved

internal/cache/client.go Outdated Show resolved Hide resolved

internal/cache/service.go Outdated Show resolved Hide resolved

wlynch dismissed imjasonh’s stale review via c217f87 June 22, 2022 20:56

Cache updates

b68b6df

- Return CertSignerVerifier - Move static values to const - Use XDG_CACHE_DIR for user data directory. Signed-off-by: Billy Lynch <billy@chainguard.dev>

wlynch force-pushed the sockets branch from c217f87 to b68b6df Compare June 22, 2022 20:58

Set default umask to remove non-user permissions.

4401779

Signed-off-by: Billy Lynch <billy@chainguard.dev>

wlynch requested a review from znewman01 June 23, 2022 16:01

znewman01 approved these changes Jun 23, 2022

View reviewed changes

wlynch requested a review from imjasonh June 23, 2022 20:21

imjasonh approved these changes Jun 23, 2022

View reviewed changes

imjasonh merged commit 0fb71e6 into sigstore:main Jun 23, 2022

imjasonh mentioned this pull request Jun 24, 2022

Signing built images ko-build/ko#357

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Implement Credential Caching #75

Implement Credential Caching #75

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Implement Credential Caching #75

Implement Credential Caching #75

Uh oh!

Conversation

Summary

Ticket Link

Release Note

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!