Assume Fulcio includes the workflow-SHA1 from the Github ID Token in the x509 it generates.
- This implies Fulcio checked the signature of the ID Token and that it verified against the GitHub OP JWK.
- This implies that the GitHub Action ran successfully and the workflow-SHA1 in the x509 commits to the code that ran in the GitHub Action.
Consider a GitHub Action which:
- Hardcodes the current Github OP JWKS in its code. The workflow-SHA1 must commit to the current Github OP JWKS.
- And this GitHub Action simply checks that the GitHub OP JWKS hardcoded into it matches the GitHub OP JWKS as the JWKS URI.
A ID Token for such GitHub Action will only be issues by Github if the hardcoded JWKS matches the real JWKS at the JWKS URI. Thus if Fulcio issues an x509 for this ID Token, we know that the workflow-SHA1 represents a successful execution of this comparison and that we can extract the hardcoded JWKS from the workflow-SHA1.
Thus, Fulcio+Rekor can function as a JWKS oracle for past GitHub OP public keys.
Assume Fulcio includes the workflow-SHA1 from the Github ID Token in the x509 it generates.
Consider a GitHub Action which:
A ID Token for such GitHub Action will only be issues by Github if the hardcoded JWKS matches the real JWKS at the JWKS URI. Thus if Fulcio issues an x509 for this ID Token, we know that the workflow-SHA1 represents a successful execution of this comparison and that we can extract the hardcoded JWKS from the workflow-SHA1.
Thus, Fulcio+Rekor can function as a JWKS oracle for past GitHub OP public keys.