Signer should handle ExpiredCertificate?

[jku]

I was reviewing sign.py and noticed that

• we cache Fulcio certificate by default
• we don't try to renew the certificate when it expires, just raise ExpiredCertificate

It would probably be harmless and good UX to renew the cert in Signer (if OIDC token is still alive). This would obviously only apply to some processes where hundreds of artifacts are being signed.

I'll run some tests before actually proposing anything but I'm filing this already so I don't forget

[jku]

This might not be that useful since

• dex tokens are short lived (shorter than fulcio cert)
• CI OIDC tokens are probably likely short lived

[woodruffw]

Yeah, I think that's why we didn't do it originally 🙂 -- in practice the OIDC cred itself expires when/before the cached signing cert does, so the signer API would need to go through the (potentially interactive) OIDC retrieval flow again.

[jku]

I just checked and I believe the GCP workload token has a 60 minute expiry

• so theoretically the fulcio cert expires earlier (10 mins)
• that's still a lot of signing time even with rekor2 so fixing this is not that important

The minor improvement this would make is that users who do massive signing operations would only need to handle ExpiredIdentity: ExpiredCertificate would be handled internally.