1
0
Fork 0
mirror of https://github.com/imjasonh/sigstore-screenshot synced 2026-07-07 01:32:22 +00:00
No description
Find a file
Jason Hall a066133d2d
back to implicit flow, lots of minor improvements, still doesn't work
Signed-off-by: Jason Hall <jason@chainguard.dev>
2025-01-10 22:28:23 -05:00
LICENSE Initial commit 2025-01-10 14:10:16 -05:00
manifest.json back to implicit flow, lots of minor improvements, still doesn't work 2025-01-10 22:28:23 -05:00
popup.html initial commit 2025-01-10 14:10:36 -05:00
README.md back to implicit flow, lots of minor improvements, still doesn't work 2025-01-10 22:28:23 -05:00
service-worker.js back to implicit flow, lots of minor improvements, still doesn't work 2025-01-10 22:28:23 -05:00

Verifiable Screenshot Chrome Extension

With this extension, you can take a screenshot of a webpage with Cmd+Shift+6, and then the extension attests a digest of the screenshot to Rekor, using an ephemeral cert from Fulcio, tied to your identity.

This proves that you took the screenshot at a certain time, and that if the image ever changes there's no way to forge the attestation.

This doesn't currently work.


Notes for how to get this working:

So far this extension:

  1. listens for cmd+shift+6 to take a screenshot of the current tab
  2. does Google OAuth to get an ID token
  3. generates an ephemeral public/private keypair
  4. signs the ID token's sub with the private key
  5. posts the public key, token and signed token.sub to Fulcio
  6. 💥 fails with "There was an error processing the identity token" presumably because the id token doesn't have audience of sigstore -- but setting audience in the oauth request gets blocked by Google...

Once I get past that I think the next step is to:

  1. get the ephemeral cert returned by Fulcio
  2. take the digest of the screenshot data, wrap the digest in the correct envelope(s)
  3. post to Rekor
  4. get the log ID returned by Rekor, and redirect to search.sigstore.dev, and download the screenshot data.
  5. show verification instructions.