OIDC Verification Cheat Sheet
Identity Verification Cheat Sheet
Verying identity from OIDC issuers
To verify a signature created with an OIDC issuer, you need to know the following:
certificate-identity: Valid values include email address, DNS names, IP addresses, and URIscertificate-oidc-issuer: the url associated with the OIDC issuer
| Issuer | certificate-oidc-issuer |
|---|---|
| GitHub | https://github.com/login/oauth |
| GitLab | https://gitlab.com |
| https://accounts.google.com | |
| Microsoft | https://login.microsoftonline.com |
If you are unsure of what values to expect, search the project’s README, documentation, or website.
Verifying a signature created by a workflow
To verify a signature created by a workflow, you still need both the certificate-identity and the certificate-oidc-issuer, but they look a little different than when the signature is manually generated.
For the case of a signature created with GitHub actions:
| Issuer | certificate-oidc-issuer | certificate-identity |
|---|---|---|
| Buildkite | https://agent.buildkite.com | https://buildkite.com/ORGANIZATION/APP_ID |
| Codefresh | https://oidc.codefresh.io | https://g.codefresh.io/ACCOUNT_NAME/PROJECT_NAME/PIPELINE_NAME:ACCOUNT_ID/PIPELINE_IDPIPELINE_ID |
| GitHub Actions | https://token.actions.githubusercontent.com | https://github.com/USERNAME/REPOSITORY_NAME/.github/workflows/WORKFLOW_NAME@refs/heads/BRANCH_NAME |
| GitLab CI | https://gitlab.com | https://gitlab.com/PROJECT_PATH//CI_CONFIG_PATH@REF_PATH |