feat(sc.sh): opt-in install of branch-preview tarballs via SIMPLE_CONTAINER_ALLOW_PREVIEW#278
Open
Cre-eD wants to merge 1 commit into
Open
feat(sc.sh): opt-in install of branch-preview tarballs via SIMPLE_CONTAINER_ALLOW_PREVIEW#278Cre-eD wants to merge 1 commit into
Cre-eD wants to merge 1 commit into
Conversation
…TAINER_ALLOW_PREVIEW
Why: production users testing a feature-branch SC build (e.g. before merging
an SC API PR that affects downstream consumers) currently can't use sc.sh —
the Phase 2c cert-identity regex is hard-pinned to push.yaml@refs/heads/main,
so every preview tarball trips cosign verification even though it's a
legitimately signed Sigstore bundle. Today the only workaround is to bypass
sc.sh entirely (`curl tarball + tar -xz`), which loses the signature check
the failgate was built to provide. The opt-in path documented here gives
preview testing back without weakening the production strict-mode default.
What:
- sc.sh: when SIMPLE_CONTAINER_ALLOW_PREVIEW=1 is set, widen the cert-identity
regex passed to `cosign verify-blob` to also accept
branch-preview.yaml@refs/heads/*. Default (env var unset / not "1") is
unchanged — only the production push.yaml@main identity is accepted.
Signature, Rekor log entry, and OIDC issuer are still verified end-to-end;
the broader regex is the only thing that changes.
- sc.sh: on signature failure where cosign reports a branch-preview signer,
surface a precise next-step ("rerun with SIMPLE_CONTAINER_ALLOW_PREVIEW=1
SIMPLE_CONTAINER_VERSION=...") instead of the generic compromise message,
so a user who knows they're installing a preview build gets a copy-paste
unblock instead of having to read the script.
- docs/SECURITY.md: document the opt-in env var alongside the existing
manual `cosign verify-blob` commands, and update the comment in
Verifying tarballs that wrongly claimed preview tarballs don't land at
the CDN (they do — branch-preview.yaml publishes them to the same bucket).
Why this is safe to relax:
1. The regex still anchors to simple-container-com/api workflows only; an
attacker cannot publish a malicious tarball under a different repo's
workflow identity.
2. The OIDC issuer is still pinned to GitHub's token endpoint.
3. Rekor log entry, Sigstore bundle, and tarball SHA-256 sidecar are all
still verified.
4. Production users default to strict. Picking up a preview build requires
explicit acknowledgement via env var — there's no implicit promotion of
any feature-branch identity into the production trust set.
Testing:
- Without env var: preview tarball is rejected with the new helpful message
pointing at SIMPLE_CONTAINER_ALLOW_PREVIEW=1 (verified against the
v2026.5.26-pre.4cc1a03-preview.4cc1a03 tarball published 2026-05-19).
- With env var: same tarball verifies and installs cleanly.
Refs PR #277 (the trigger for this fix — needed to validate the new
CloudTrail security alerts plugin schema end-to-end against a preview SC).
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Semgrep Scan ResultsRepository:
Scanned at 2026-05-19 19:52 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-19 19:54 UTC |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Production users testing a feature-branch SC build via `sc.sh` are blocked by the Phase 2c failgate: the cert-identity regex passed to `cosign verify-blob` is hard-pinned to `push.yaml@refs/heads/main`, so every preview tarball trips signature verification — even though it's a legitimately signed Sigstore bundle. The only workarounds today are:
Neither preserves the supply-chain integrity guarantee. This PR adds a documented opt-in env var that widens the regex without weakening the default strict mode.
Discovered while validating the CloudTrail security alerts plugin (PR #277) against a preview build of that branch — `sc.sh` refused the v2026.5.26-pre.4cc1a03-preview.4cc1a03 tarball with no actionable error.
What
`sc.sh` — opt-in regex relaxation
`verify_sc_tarball` now branches on the new `SIMPLE_CONTAINER_ALLOW_PREVIEW` env var:
Signature, Rekor log entry, OIDC issuer, and SHA-256 sidecar are all still verified end-to-end. The opt-in only changes which signer-workflow identities the regex permits.
`sc.sh` — actionable error on preview-signed-but-strict-mode
When cosign reports a `branch-preview.yaml` signer and the env var is unset, the script now surfaces a copy-paste unblock:
```
The tarball was signed by branch-preview.yaml (a feature-branch
build), not by the production push.yaml@main workflow. To allow
preview builds explicitly, rerun with:
SIMPLE_CONTAINER_ALLOW_PREVIEW=1 SIMPLE_CONTAINER_VERSION= \
bash <(curl -Ls https://dist.simple-container.com/sc.sh)
```
instead of the generic "tampered in transit / CDN compromised" copy.
`docs/SECURITY.md` — documentation
Security analysis
Why this is safe to relax behind an opt-in:
What this does NOT do:
Testing
Verified against the live preview build `v2026.5.26-pre.4cc1a03-preview.4cc1a03` (from the feat/cloudtrail-alerts-exclusions-and-new-detectors branch):
Test plan
Refs