mirror of
https://github.com/imjasonh/sigstore-screenshot
synced 2026-07-07 01:32:22 +00:00
No description
|
|
||
|---|---|---|
| LICENSE | ||
| manifest.json | ||
| popup.html | ||
| README.md | ||
| service-worker.js | ||
Verifiable Screenshot Chrome Extension
With this extension, you can take a screenshot of a webpage with Cmd+Shift+6, and then the extension attests a digest of the screenshot to Rekor, using an ephemeral cert from Fulcio, tied to your identity.
This proves that you took the screenshot at a certain time, and that if the image ever changes there's no way to forge the attestation.
This doesn't currently work.
Notes for how to get this working:
- get a stable extension ID as documented in https://developer.chrome.com/docs/extensions/how-to/integrate/oauth
- create a GCP project, create OAuth Credentials
- not a Chrome Extension but a regular Web Application
- with redirect URL
https://XXXXXX.chromiumapp.org
So far this extension:
- listens for
cmd+shift+6to take a screenshot of the current tab - does Google OAuth to get an ID token
- generates an ephemeral public/private keypair
- signs the ID token's
subwith the private key - posts the public key, token and signed
token.subto Fulcio - 💥 fails with
"There was an error processing the identity token"presumably because the id token doesn't have audience ofsigstore-- but settingaudiencein the oauth request gets blocked by Google...
Once I get past that I think the next step is to:
- get the ephemeral cert returned by Fulcio
- take the digest of the screenshot data, wrap the digest in the correct envelope(s)
- post to Rekor
- get the log ID returned by Rekor, and redirect to search.sigstore.dev, and download the screenshot data.
- show verification instructions.