docker/actions-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

buildx(install): workaround to check subjectAlternativeName

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
2026-01-13 13:39:43 +01:00
parent d830716b30
commit 89e14b0d85
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/buildx/install.ts
View File

@@ -14,6 +14,7 @@
* limitations under the License.
*/
import {X509Certificate} from 'crypto';
import fs from 'fs';
import os from 'os';
import path from 'path';
@@ -245,10 +246,14 @@ export class Install {
try {
core.info(`Verifying Buildx binary signature`);
const signedEntity = toSignedEntity(bundle, fs.readFileSync(binPath));
const signingCert = new X509Certificate(signedEntity.signature.signature);
if (!signingCert.subjectAltName?.match(/^https:\/\/github\.com\/docker\/(github-builder-experimental|github-builder)\/\.github\/workflows\/bake\.yml.*$/)) {
throw new Error(`Signing certificate subjectAlternativeName "${signingCert.subjectAltName}" does not match expected pattern`);
}
const verifier = new Verifier(trustMaterial);
const signer = verifier.verify(signedEntity, {
// FIXME: uncomment when subjectAlternativeName check with regex is supported: https://github.com/docker/actions-toolkit/pull/929#discussion_r2682150413
//subjectAlternativeName: /^https:\/\/github\.com\/docker\/(github-builder-experimental|github-builder)\/\.github\/workflows\/build\.yml.*$/,
//subjectAlternativeName: /^https:\/\/github\.com\/docker\/(github-builder-experimental|github-builder)\/\.github\/workflows\/bake\.yml.*$/,
extensions: {issuer: 'https://token.actions.githubusercontent.com'}
});
core.debug(`Install.verifySignature signer: ${JSON.stringify(signer)}`);