sigstore
diff --git a/‎config/config.jsn‎
Lines changed: 5 additions & 0 deletions b/‎config/config.jsn‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎config/fulcio-config.yaml‎
Lines changed: 5 additions & 0 deletions b/‎config/fulcio-config.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/oid-info.md‎
Lines changed: 21 additions & 21 deletions b/‎docs/oid-info.md‎
Lines changed: 21 additions & 21 deletions
diff --git a/‎federation/oidc.codefresh.io/config.yaml‎
Lines changed: 18 additions & 0 deletions b/‎federation/oidc.codefresh.io/config.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎pkg/config/config.go‎
Lines changed: 11 additions & 8 deletions b/‎pkg/config/config.go‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎pkg/config/config_test.go‎
Lines changed: 3 additions & 0 deletions b/‎pkg/config/config_test.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/identity/codefresh/issuer.go‎
Lines changed: 40 additions & 0 deletions b/‎pkg/identity/codefresh/issuer.go‎
Lines changed: 40 additions & 0 deletions
@@ -20,6 +20,11 @@
       "IssuerURL": "https://token.actions.githubusercontent.com",
       "ClientID": "sigstore",
       "Type": "github-workflow"
+    },
+    "https://oidc.codefresh.io": {
+      "IssuerURL": "https://oidc.codefresh.io",
+      "ClientID": "sigstore",
+      "Type": "codefresh-workflow"
     }
   }
 }
@@ -64,6 +64,11 @@ data:
               "Type": "email",
               "IssuerClaim": "$.federated_claims.connector_id"
             },
+            "https://oidc.codefresh.io": {
+              "IssuerURL": "https://oidc.codefresh.io",
+              "ClientID": "sigstore",
+              "Type": "codefresh-workflow"
+            },
             "https://ops.gitlab.net": {
               "IssuerURL": "https://ops.gitlab.net",
               "ClientID": "sigstore",
 
@@ -189,27 +189,27 @@ that Sigstore operates.
 
 ## Mapping OIDC token claims to Fulcio OIDs
 
-| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | CircleCI | Buildkite | Fulcio Certificate Extension | Why / Notes / Questions                                                                                                                                                                |
-|--------------------|--------|----------|-----------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| aud                | aud     | aud       | aud        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
-| iss                | iss     | iss       | iss        | Issuer                       | This already exists. For example: https://token.actions.githubusercontent.com                                                                                                          |
-| exp                | exp     | exp       | exp        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
-| nbf                | nbf     | nbf       | nbf        | N/A                          | Only used to validate the JWT. Optional, as per the OIDC spec                                                                                                                         |
-| iat                | iat     | iat       | iat        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
-| server_url + job_workflow_ref   | ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ??       | ??        | Build Signer URI             | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. |
-| job_workflow_sha   | ci_config_sha ([WIP][gitlab-wip-cliams]) | ??       | ??        | Build Signer Digest          | An immutable reference to the specific version of the build instructions that is responsible for signing. Should include the digest type followed by the digest, e.g. `sha1:abc123`.   |
-| runner_environment | runner_environment | ??       | ??        | Runner Environment           | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`.     |
-| server_url + repository         | server_url + project_path | ??       | ??        | Source Repository URI                   | Should include a fully qualified repository URL.                                                                                                                                       |
-| sha                | sha | ??       | build_commit | Source Repository Digest                | An immutable reference to a specific version of the source code. Should include the digest type followed by the digest, e.g. `sha1:abc123`.                                            |
-| ref                | ref     | ??       | build_branch | Source Repository Ref                   | The source ref that the build run was based upon. For example: refs/head/main.                                                                                                         |
-| repository_id         | project_id     | ??       | ??        | Source Repository Identifier     | Stable identifier for the owner of the source repository.                                                                                                                                      |
-| server_url + repository_owner         | server_url + namespace_path | ??       | ??        | Source Repository Owner URI     | Fully qualified URL for the owner of the source repository.                                                                                                                                     |
-| repository_owner_id         | namespace_id     | ??       | ??        | Source Repository Owner Identifier     | Stable identifier for the owner of the source repository.                                                                                                                                   |
-| server_url + workflow_ref       |  ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ??       | ??        | Build Config URI             | A reference to the initiating build instructions.                                                                                                                                      |
-| workflow_sha       |  ci_config_sha ([WIP][gitlab-wip-cliams]) | ??       | ??        | Build Config Digest          | An immutable reference to the specific version of the top-level build instructions. Should include the digest type followed by the digest, e.g. `sha1:abc123`.                         |
-| event_name         | pipeline_source | ??       | ??        | Build Trigger                | The event or action that triggered the build.                                                                                                                                          |
-| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + /-/jobs/ + job_id | ??       | ??        | Run Invocation URI           | An immutable identifier that can uniquely identify the build execution     |
-| repository_visibility | project_visibility | ??       | ??        | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate |
+| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | CircleCI | Buildkite | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | Fulcio Certificate Extension | Why / Notes / Questions                                                                                                                                                                |
+|--------------------|--------|----------|-----------|-----------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| aud                | aud     | aud       | aud        | aud        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
+| iss                | iss     | iss       | iss        | iss        | Issuer                       | This already exists. For example: https://token.actions.githubusercontent.com                                                                                                          |
+| exp                | exp     | exp       | exp        | exp        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
+| nbf                | nbf     | nbf       | nbf        | nbf        | N/A                          | Only used to validate the JWT. Optional, as per the OIDC spec                                                                                                                         |
+| iat                | iat     | iat       | iat        | iat        | N/A                          | Only used to validate the JWT.                                                                                                                                                         |
+| server_url + job_workflow_ref   | ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ??       | ??        | platform_url + /build/ +  workflow_id        | Build Signer URI             | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. |
+| job_workflow_sha   | ci_config_sha ([WIP][gitlab-wip-cliams]) | ??       | ?? | N/A        | Build Signer Digest          | An immutable reference to the specific version of the build instructions that is responsible for signing. Should include the digest type followed by the digest, e.g. `sha1:abc123`.   |
+| runner_environment | runner_environment | ??       | ??        | runner_environment        | Runner Environment           | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`.     |
+| server_url + repository         | server_url + project_path | ??       | ??        | scm_repo_url        | Source Repository URI                   | Should include a fully qualified repository URL.                                                                                                                                       |
+| sha                | sha | ??       | build_commit | N/A | Source Repository Digest                | An immutable reference to a specific version of the source code. Should include the digest type followed by the digest, e.g. `sha1:abc123`.                                            |
+| ref                | ref     | ??       | build_branch | scm_ref | Source Repository Ref                   | The source ref that the build run was based upon. For example: refs/head/main.                                                                                                         |
+| repository_id         | project_id     | ??       | ?? | N/A        | Source Repository Identifier     | Stable identifier for the owner of the source repository.                                                                                                                                      |
+| server_url + repository_owner         | server_url + namespace_path | ??       | ?? | N/A        | Source Repository Owner URI     | Fully qualified URL for the owner of the source repository.                                                                                                                                     |
+| repository_owner_id         | namespace_id     | ??       | ?? | N/A        | Source Repository Owner Identifier     | Stable identifier for the owner of the source repository.                                                                                                                                   |
+| server_url + workflow_ref       |  ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ??       | ??        | platform_url + /api/pipelines/ +  pipeline_id        | Build Config URI             | A reference to the initiating build instructions.                                                                                                                                      |
+| workflow_sha       |  ci_config_sha ([WIP][gitlab-wip-cliams]) | ??       | ?? | N/A        | Build Config Digest          | An immutable reference to the specific version of the top-level build instructions. Should include the digest type followed by the digest, e.g. `sha1:abc123`.                         |
+| event_name         | pipeline_source | ??       | ??        | N/A        | Build Trigger                | The event or action that triggered the build.                                                                                                                                          |
+| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + /-/jobs/ + job_id | ??       | ??        | platform_url + /build/ +  workflow_id        | Run Invocation URI           | An immutable identifier that can uniquely identify the build execution     |
+| repository_visibility | project_visibility | ??       | ??        | N/A        | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate |
 
 [github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
 [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264
 
@@ -0,0 +1,18 @@
+# Copyright 2023 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+url: https://oidc.codefresh.io
+contact: [email protected]
+description: "Codefresh OIDC tokens for job identity"
+type: "codefresh-workflow"
@@ -273,14 +273,15 @@ func (fc *FulcioConfig) prepare() error {
 type IssuerType string
 
 const (
-	IssuerTypeBuildkiteJob   = "buildkite-job"
-	IssuerTypeEmail          = "email"
-	IssuerTypeGithubWorkflow = "github-workflow"
-	IssuerTypeGitLabPipeline = "gitlab-pipeline"
-	IssuerTypeKubernetes     = "kubernetes"
-	IssuerTypeSpiffe         = "spiffe"
-	IssuerTypeURI            = "uri"
-	IssuerTypeUsername       = "username"
+	IssuerTypeBuildkiteJob      = "buildkite-job"
+	IssuerTypeEmail             = "email"
+	IssuerTypeGithubWorkflow    = "github-workflow"
+	IssuerTypeCodefreshWorkflow = "codefresh-workflow"
+	IssuerTypeGitLabPipeline    = "gitlab-pipeline"
+	IssuerTypeKubernetes        = "kubernetes"
+	IssuerTypeSpiffe            = "spiffe"
+	IssuerTypeURI               = "uri"
+	IssuerTypeUsername          = "username"
 )
 
 func parseConfig(b []byte) (cfg *FulcioConfig, err error) {
@@ -511,6 +512,8 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 		return "email"
 	case IssuerTypeGithubWorkflow:
 		return "sub"
+	case IssuerTypeCodefreshWorkflow:
+		return "sub"
 	case IssuerTypeKubernetes:
 		return "sub"
 	case IssuerTypeSpiffe:
 
@@ -495,6 +495,9 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)
 	}
+	if claim := issuerToChallengeClaim(IssuerTypeCodefreshWorkflow, ""); claim != "sub" {
+		t.Fatalf("expected sub subject claim for Codefresh issuer, got %s", claim)
+	}
 	if claim := issuerToChallengeClaim(IssuerTypeKubernetes, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for K8S issuer, got %s", claim)
 	}
 
@@ -0,0 +1,40 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package codefresh
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/sigstore/fulcio/pkg/config"
+	"github.com/sigstore/fulcio/pkg/identity"
+	"github.com/sigstore/fulcio/pkg/identity/base"
+)
+
+type codefreshIssuer struct {
+	identity.Issuer
+}
+
+func Issuer(issuerURL string) identity.Issuer {
+	return &codefreshIssuer{base.Issuer(issuerURL)}
+}
+
+func (e *codefreshIssuer) Authenticate(ctx context.Context, token string, opts ...config.InsecureOIDCConfigOption) (identity.Principal, error) {
+	idtoken, err := identity.Authorize(ctx, token, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("authorizing codefresh issuer: %w", err)
+	}
+	return WorkflowPrincipalFromIDToken(ctx, idtoken)
+}
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,11 @@`
`20`	`20`	`"IssuerURL": "https://token.actions.githubusercontent.com",`
`21`	`21`	`"ClientID": "sigstore",`
`22`	`22`	`"Type": "github-workflow"`
	`23`	`+ },`
	`24`	`+ "https://oidc.codefresh.io": {`
	`25`	`+ "IssuerURL": "https://oidc.codefresh.io",`
	`26`	`+ "ClientID": "sigstore",`
	`27`	`+ "Type": "codefresh-workflow"`
`23`	`28`	`}`
`24`	`29`	`}`
`25`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -495,6 +495,9 @@ func Test_issuerToChallengeClaim(t *testing.T) {`
`495`	`495`	`if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {`
`496`	`496`	`t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)`
`497`	`497`	`}`
	`498`	`+ if claim := issuerToChallengeClaim(IssuerTypeCodefreshWorkflow, ""); claim != "sub" {`
	`499`	`+ t.Fatalf("expected sub subject claim for Codefresh issuer, got %s", claim)`
	`500`	`+ }`
`498`	`501`	`if claim := issuerToChallengeClaim(IssuerTypeKubernetes, ""); claim != "sub" {`
`499`	`502`	`t.Fatalf("expected sub subject claim for K8S issuer, got %s", claim)`
`500`	`503`	`}`