Witness sign an attestation with a fulcio-token

[MFry]

Hi friends,
I am running through some examples of keyless signing and am trying to sign with witness a simple attestation. Due to our configuration/dev environment its a bit of a pain to do the OIDC GUI based callback in the dev box, so I just generate the necessary token and attempt to sign with that. When using the token to sign I get the following error

witness run -a environment -s test -o test.json --signer-fulcio-url $FULCIO_URL --signer-fulcio-oidc-client-id $FULCIO_OIDC --signer-fulcio-oidc-issuer $FULCIO_OIDC_ISSUER --signer-fulcio-token $IDENTITY_TOKEN -- echo "hello" > test.txt

INFO    Using config file: .witness.yaml
ERROR   failed to create fulcio signer: %!w(*errors.errorString=&{square/go-jose: compact JWS format must have three parts})
INFO    Starting environment attestor...
INFO    Starting material attestor...
INFO    Starting command-run attestor...
INFO    Starting product attestor...

After reading that error I thought I might need to entire bearer json received from the OIDC provider instead of just extracting out the access_token, so I grabbed the entire token

{
  "access_token":"SOME_TOKEN",
  "token_type":"Bearer",
   "expires_in":SOME_EXPIRE_TIME
}

and tried running witness again and got the following error

INFO    Using config file: .witness.yaml
ERROR   failed to create fulcio signer: %!w(*errors.errorString=&{square/go-jose: missing payload in JWS message})
INFO    Starting environment attestor...
INFO    Starting material attestor...
INFO    Starting command-run attestor...
INFO    Starting product attestor...

Now I am wondering if this signer-fulcio-token is something different from what I assume it is or I am missing something.

Additionally, I verified that these values work when running cosign sign-blob and I assumed the identity-token and signer-fulcio-token were equivalent, but that may not be the case.

cosign sign-blob \
  -y \
  --fulcio-url ${FULCIO_URL} \
  --rekor-url ${REKOR_URL} \
  --output-signature hello.sig \
  --output-certificate hello.crt \
  --identity-token ${IDENTITY_TOKEN} \
  test.tgz

Note: Some of the values are replaced with variables to remove company used URLs, tokens, etc...

[ChaosInTheCRD]

Hi there 👋

Thanks for submitting this issue. It's good to see that people are running through the examples!

So I have tried to replicate your issue, and I get the same error when setting the --signer-fulcio-token flag as the path to a file that contains the token. Is this how you are using it? If so, this flag requires the raw token to be passed as a raw string, like so:

--signer-fulcio-token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

In the case of cosign sign-blob, that will work if ${IDENTITY_TOKEN} is the path to the token as the --identity-token flag supports both:

From cosign sign-blob --help:

--identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.

If you have the time, it'd be great if you could updating the issue with:

• the output of the command once confirmed that you're passing the raw token string to the flag
• detail on how exactly you are getting the token from the provider, and which provider you are getting it from.

Regardless of the outcome of the issue, I think it would be good to make a code change so this flag does accept either the raw token string or the path to a token 😄.

Thanks again,