Skip to content

providers/filesystem: honor SIGSTORE_OIDC_TOKEN_FILE env var#4934

Open
dustinkirkland wants to merge 1 commit into
sigstore:mainfrom
dustinkirkland:cosign-filesystem-env-var
Open

providers/filesystem: honor SIGSTORE_OIDC_TOKEN_FILE env var#4934
dustinkirkland wants to merge 1 commit into
sigstore:mainfrom
dustinkirkland:cosign-filesystem-env-var

Conversation

@dustinkirkland

Copy link
Copy Markdown

Summary

The filesystem token provider currently reads from a hardcoded path (/var/run/sigstore/cosign/oidc-token). On container / Kubernetes workloads that's fine — the orchestrator bind-mounts the path at pod startup. On desktop or developer workstations, however, using this provider requires a one-time sudo mkdir -p /var/run/sigstore/cosign && sudo chown \$USER setup before anything writable can land there. That sudo step is the only privileged moment in an otherwise unprivileged "headless signing" workflow.

This PR lets SIGSTORE_OIDC_TOKEN_FILE override the default path with any user-writable location (e.g. ~/.sigstore/token), so the provider can be used unprivileged on dev machines. Behavior is unchanged when the env var is unset — the historical hardcoded path remains the default.

Why this matters

I'm prototyping a fully-headless gitsign signing flow against the public Fulcio for SSH-only dev workflows (where opening a graphical browser on the dev host is the original UX pain point — see https://github.com/sigstore/sigstore/blob/main/pkg/oauthflow/device.go). The flow:

sigstore-headless-login          # RFC 8628 device flow, writes JWT to disk
GITSIGN_TOKEN_PROVIDER=filesystem git commit ...

works end-to-end today with one wart: every user has to run sudo mkdir on every dev machine before they can write the token file. This PR removes that wart.

Tests

$ go test ./pkg/providers/filesystem/...
ok  	github.com/sigstore/cosign/v3/pkg/providers/filesystem	0.002s

Three new tests cover the default path, env-var override, and Provide() reading from the env-var-pointed location. No existing tests changed.

Backward compatibility

Strictly additive. The new env var is opt-in; every existing caller that doesn't set it sees the previous behavior.

🤖 Generated with Claude Code

The filesystem token provider currently reads from a hardcoded path
(/var/run/sigstore/cosign/oidc-token). On container/Kubernetes workloads
that's fine — the orchestrator bind-mounts the path at startup. On desktop
or developer workstations, however, using this provider requires a one-time
'sudo mkdir -p /var/run/sigstore/cosign && sudo chown $USER' setup before
anything writable can land there.

This change lets SIGSTORE_OIDC_TOKEN_FILE override the default path with any
user-writable location (e.g. ~/.sigstore/token), so the provider can be used
unprivileged on dev machines. Behavior is unchanged when the env var is
unset — the historical hardcoded path is still the default.

Signed-off-by: Dustin Kirkland <dustin.kirkland@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant