Feature Request: Disallow using GenericIssuerSubjectVerifier for GitHub Actions

[viccuad]

Is your feature request related to a problem?

Verifying Sigstore signatures done inside of GitHub Actions is not trivial. It is not enough to check the certificate's issuer and subject (what the GenericIssuerSubjectVerifier does).

For signatures that happen in GHA, the subject points to the workflow that contains the line cosign sign, not the workflow that is run on CI. Normally these 2 are the same, but in the case of GitHub Reusable Workflows, they are not.
If someone is signing inside of reusable workflows, an attacker can consume that workflow and get a signature where the subject points to the reusable workflow, therefore spoofing the owner and repo of the signature.

This GHA behaviour on setting subject is expected, since one can change the builder in the reusable workflow, for example. Still, using subject is not enough. Github's OIDC token contains more information, which ends as x509 certificate extensions in the signature certficate.

These are all exposed by sigstore-rs already, and consumed and correctly checked already by GithubActionsVerifier.

Solution you'd like

Anybody could hit these types of vulnerabilities if they are verifying signatures from GHA by only looking at the subject.

Users need to be aware that that is not enough. Hence , disallow users from creating a GenericIssuerSubjectVerifier, if the issuer is https://token.actions.githubusercontent.com (Github Actions).

This can be implemented by failing with an error that points them to using GithubActionsVerifier, which checks for more cases, therefore being more secure.

Blocked on

This is a breaking change. This behaviour change will break https://github.com/kubewarden/verify-image-signatures (which uses genericIssuerSubjectVerifier) if configured to to verify images sign via keyless in GHA.

Alternatives you've considered

No response

Anything else?

No response