mirror of
https://github.com/imjasonh/esp32
synced 2026-07-06 23:52:24 +00:00
Each OTA fetch is now gated on a Sigstore Bundle signature whose Fulcio cert identifies a member of an allowlist hardcoded in src/trust.rs (currently imjasonh@gmail.com / accounts.google.com). The allowlist cannot be changed via OTA -- only by editing source and reflashing over USB. Publisher (Makefile): make publish now runs cosign sign --yes after the publisher push. Cosign keyless OIDC pops a browser the first time; subsequent signs reuse the cached token within ~10min. Firmware: - src/trust.rs: TRUSTED_IDENTITIES list + bundled Sigstore root and intermediate CA PEMs (trust/fulcio_root.pem, fulcio_intermediate.pem). - src/sig.rs: parse Sigstore Bundle v0.3 (DSSE envelope), verify (a) Fulcio cert SAN email + OID 1.3.6.1.4.1.57264.1.1 issuer match the allowlist, (b) leaf cert chains to bundled Sigstore root via P-384 ECDSA-SHA384, (c) DSSE signature verifies via P-256 ECDSA-SHA256 over the PAE, (d) in-toto Statement subject digest binds to our manifest digest. - src/ota.rs: fetch_manifest now returns the manifest's own SHA256 (the digest cosign signed), not just the parsed body. New fetch_signature_bundle walks the OCI 1.1 referrers layout cosign uses (image index -> inner manifest -> bundle blob). Sig is fetched and verified before the firmware download starts. Crates: p256, p384, x509-cert (with pem feature), base64. Adds ~350 KB to the firmware -- repartitioned ota slots from 1.5MB to 1.75MB to fit (USB-only migration). Bumped OTA thread stack to 48KB for cert-parsing headroom. Verified end-to-end: Jason signed :latest with cosign keyless, device polled, all four verification steps passed (identity, chain, DSSE sig, in-toto binding), then downloaded and applied as before. Phase 4b (Rekor SET / transparency log inclusion proof) and 4c (operational hardening) remain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| fulcio_intermediate.pem | ||
| fulcio_root.pem | ||