From 9571ff1a5c905ab214b1edab7c5592a64320c777 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Thu, 14 Nov 2024 11:41:23 -0600
Subject: [PATCH] Fix verifying sigstore bundles for github trusted publishers
 (#5234)

We dont have the original jwt around any more, so re-create the policy based on whats intrinsic to the trusted publisher itself

Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
---
 .../oidc/trusted_publisher/github_action.rb   | 21 ++++++++++++++-----
 app/models/pusher.rb                          |  2 +-
 test/integration/push_test.rb                 |  3 +--
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/app/models/oidc/trusted_publisher/github_action.rb b/app/models/oidc/trusted_publisher/github_action.rb
index 11bb59e7633..dfff396e0d8 100644
--- a/app/models/oidc/trusted_publisher/github_action.rb
+++ b/app/models/oidc/trusted_publisher/github_action.rb
@@ -119,11 +119,22 @@ def to_access_policy(jwt)
     )
   end
 
-  def to_sigstore_identity_policy(ref)
-    Sigstore::Policy::Identity.new(
-      identity: "https://github.com/#{repository}/#{workflow_slug}@#{ref}",
-      issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
-    )
+  class SigstorePolicy
+    def initialize(trusted_publisher)
+      @trusted_publisher = trusted_publisher
+    end
+
+    def verify(cert)
+      ref = cert.openssl.find_extension("1.3.6.1.4.1.57264.1.14")&.value_der&.then { OpenSSL::ASN1.decode(_1).value }
+      Sigstore::Policy::Identity.new(
+        identity: "https://github.com/#{@trusted_publisher.repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
+        issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
+      ).verify(cert)
+    end
+  end
+
+  def to_sigstore_identity_policy
+    SigstorePolicy.new(self)
   end
 
   def name
diff --git a/app/models/pusher.rb b/app/models/pusher.rb
index 8a7f5508376..0f0dab75908 100644
--- a/app/models/pusher.rb
+++ b/app/models/pusher.rb
@@ -175,7 +175,7 @@ def verify_sigstore
     return true if attestations.blank?
     return notify("Pushing with an attestation requires trusted publishing", 400) unless api_key.trusted_publisher?
 
-    policy = api_key.owner.to_sigstore_identity_policy(api_key.oidc_id_token.jwt.dig("claims", "ref"))
+    policy = api_key.owner.to_sigstore_identity_policy
 
     artifact = Sigstore::Verification::V1::Artifact.new
     artifact.artifact = body.string
diff --git a/test/integration/push_test.rb b/test/integration/push_test.rb
index dcfc45ac0a3..ae4471a3852 100644
--- a/test/integration/push_test.rb
+++ b/test/integration/push_test.rb
@@ -25,8 +25,7 @@ class PushTest < ActionDispatch::IntegrationTest
     )
 
     @key = "543321"
-    api_key = create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: @key, scopes: %i[push_rubygem])
-    create(:oidc_id_token, api_key: api_key, jwt: { claims: { "ref" => "refs/heads/main" } })
+    create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: @key, scopes: %i[push_rubygem])
 
     signing_jwt = ["", {
       aud: "sigstore",