Marcos Yacob

Force rotation of Server SVID

2

Force the rotation of Server SVID when it was signed by a tainted key Depends on #3894 #3897

Taint a local Authority based on upstream authority

1

Upstream authorities are propagating the list of tainted keys, but we need a way to taint the local authority that was signed by a downstream key that is now tainted....

Remove cached JWT SVIDs using tainted keys

2

Remove cached JWT SVIDs that are signed by a tainted key Depends on #3901

Rotate X.509 Workload SVIDs using tainted keys

2

Update agent sync to rotate all cached SVIDs affected by a tainted Key Depends on #3901

Push Agent status to server

2

Add a new package to push status to SPIRE Server and keep the list of tainted keys The list of tainted keys must be kept here and propagated to Agent...

Propagate Taint keys on SPIRE upstream authority

1

SPIRE Upstream authority must obtain the list of tainted keys from NewDownstreamX509CA and GetBundle, to propagates tainted keys to SPIRE Server Depends on #3885 #3886 #3899

Update NewDowstreamX509CA to propagate metadata

4

Propagate Tainted keys when using NewDownstreamX509CA Depends on #3885

Implement PushStatus RPC

1

Implement PushStatus RPC on Agent API Depends on #3885

Add taint to common Bundle to utils

1

Add taint field to JWT and X509 parsing code Depends on #3885

Add Sigstore Attestor integration test

4

Sigstore was added as an extension for k8s workload attestor, and a [PR](https://github.com/spiffe/spire/pull/3504) was open with an integration test. But it is using a signed image on a user repository,...