How to Use OpenPubkey with GitHub Actions Workloads
In the ever-evolving landscape of cybersecurity and identity management, the OpenPubkey initiative stands out as a promising endeavor, bringing together BastionZero, Docker, and the Linux Foundation. This collaborative effort aims to revolutionize the integration of public keys into Single Sign-On (SSO) workflows, particularly with identity providers that support OpenID Connect (OIDC). In this comprehensive blog post, we will delve into the intricacies of using OpenPubkey with GitHub Actions workloads, shedding light on its applications, benefits, and technical considerations.
Understanding the Role of ID Tokens
To embark on our exploration, let's first grasp the fundamentals of the OpenID Connect protocol and its significant artifact - the ID token. An ID token is a cryptographic token issued by an OIDC identity provider (OP) upon a user's successful single sign-on. This token encapsulates crucial user identity information, such as email addresses, and is cryptographically signed by the OP.
GitHub Actions: Bridging Workloads and ID Tokens
GitHub Actions, the workflow automation tool within the GitHub platform, plays a pivotal role in our narrative. When a GitHub Action workload is initiated, GitHub assigns it a unique API key and secret. Leveraging this, the GitHub Action authenticates with GitHub's OP, obtaining an OIDC ID token. This token becomes the key to proving the authentication of the GitHub Action to third-party services.
Diving deeper, GitHub uses the job_workflow_ref claim within the ID token as the identity of the workflow. This claim points to the location of the file from which the GitHub Action is built, providing verifiers with the means to identify and validate the origin of the workflow.
Crafting Workload Identities with PK Tokens
Now, let's shift our focus to OpenPubkey and how it enhances the identity binding process. OpenPubkey introduces the concept of PK tokens, cryptographic objects that bind public keys to workload identities. When a GitHub Action workload authenticates with GitHub's OP, it sets the audience field in the ID token to the cryptographic hash of the workload's public key along with some random noise. This effectively embeds the identity of the workload in the ID token.
The PK token, essentially a JSON Web Signature (JWS), encapsulates the ID token, the workload's public key, and a cryptographic proof of access to the signing key. This PK token can then be presented to any OpenPubkey verifier, which uses OIDC to obtain GitHub OP's public key and validates the ID token. The verifier can then utilize the workload's public key for various cryptographic operations.
Embracing Ephemeral Keys for Enhanced Security
Security is paramount in any identity management system. OpenPubkey supports the use of ephemeral keys - keys with a short lifespan. Workloads generate a new public-private key pair, authenticate to the OP to obtain a PK token, sign objects using the private key, and promptly discard the private key. This ephemeral key approach ensures improved security and reduces operational overhead associated with long-term key management.
Unveiling One-Time-Use PK Tokens
Taking security a step further, OpenPubkey introduces the concept of one-time-use PK tokens. In this scenario, the audience claim in the ID token includes the cryptographic hash of the public key, the hash of the object to be signed, and random noise. Verifiers then validate PK tokens by confirming the inclusion of the signed object's hash in the audience claim, ensuring a higher level of security for sensitive operations.
领英推荐
Docker's Journey with OpenPubkey in GitHub Actions
A tangible application of OpenPubkey in real-world scenarios is Docker's collaboration with GitHub Actions. Docker utilizes OpenPubkey with GitHub Actions workloads to sign in-toto attestations on Docker Official Images. The workflow involves generating a fresh ephemeral public-private key pair, obtaining the PK token for the public key via OpenPubkey, and signing attestations on the image using the private key. The private key is responsibly discarded, and the signed image, along with its signature and PK token, is made available on the Docker Hub container registry.
Unleashing the Potential: Other OpenPubkey Use Cases
Beyond the realms of GitHub Actions and Docker, OpenPubkey opens doors to a myriad of possibilities. Consider the following ideas to harness the full potential of OpenPubkey and GitHub Actions:
Technical Considerations: Addressing Challenges
As with any innovative technology, OpenPubkey raises certain technical considerations that merit attention:
ID Token Exposure
In scenarios where PK tokens are made broadly available to the public, OpenPubkey introduces Guillou-Quisquater (GQ) signatures. These signatures replace the OP's signature in the ID token, mitigating the risk of token replay attacks while preserving the security of the OP's RSA signature.
OP Key Rotation
Identity providers often rotate their OpenID Connect keys for security reasons. OpenPubkey addresses this by recommending the re-authentication of users and the creation of new PK tokens when the OP rotates its key. Historical logs of OP public keys can also be maintained for use after they expire, ensuring a seamless transition.
Conclusion
In conclusion, OpenPubkey emerges as a powerful tool in the realm of identity management, particularly within the GitHub Actions ecosystem. Its seamless integration with GitHub Actions workloads, support for ephemeral keys, and innovative features like one-time-use PK tokens showcase its potential to elevate security standards in diverse use cases.
As OpenPubkey continues to evolve, the invitation is extended to developers, security enthusiasts, and technology enthusiasts to explore, contribute, and envision new horizons for this open-source initiative. Visit the OpenPubkey repository on GitHub to engage with the community, access documentation, and be part of the transformative journey towards a more secure and efficient identity management landscape. Let's unlock the full potential of OpenPubkey and shape the future of identity in the digital age.