There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.
We can protect agains this by recording the repository_id, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
This could also be added to Fulcio's certificate generation. @asraa shall we start a threat about this on sigstore repos?
For the time being, let's record it as part of the invocation, and provide some examples in the README how to extract it, e.g. via ja
There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.
We can protect agains this by recording the repository_id, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
This could also be added to Fulcio's certificate generation. @asraa shall we start a threat about this on sigstore repos?
For the time being, let's record it as part of the
invocation, and provide some examples in the README how to extract it, e.g. viaja