Skip to content

Commit

Permalink
Fixing CA Path Flag to be used and adding policy timestamp server flag (
Browse files Browse the repository at this point in the history
#353)

* Allow policies to be verified when signed by an identity-based signature and timestamp

---------

Signed-off-by: chaosinthecrd <[email protected]>
Signed-off-by: Tom Meadows <[email protected]>
Signed-off-by: John Kjell <[email protected]>
Co-authored-by: John Kjell <[email protected]>
  • Loading branch information
ChaosInTheCRD and jkjell authored May 16, 2024
1 parent 53aa6ad commit b951db3
Show file tree
Hide file tree
Showing 10 changed files with 341 additions and 32 deletions.
64 changes: 63 additions & 1 deletion cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package cmd
import (
"context"
"crypto"
"crypto/x509"
"errors"
"fmt"
"os"
Expand All @@ -26,6 +27,7 @@ import (
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/source"
"github.com/in-toto/go-witness/timestamp"
archivista_client "github.com/in-toto/witness/internal/archivista"
"github.com/in-toto/witness/internal/policy"
"github.com/in-toto/witness/options"
Expand All @@ -46,6 +48,10 @@ func VerifyCmd() *cobra.Command {
SilenceUsage: true,
DisableAutoGenTag: true,
RunE: func(cmd *cobra.Command, args []string) error {
if cmd.Flags().Lookup("policy-ca").Changed {
log.Warn("The flag `--policy-ca` is deprecated and will be removed in a future release. Please use `--policy-ca-root` and `--policy-ca-intermediate` instead.")
}

verifiers, err := loadVerifiers(cmd.Context(), vo.VerifierOptions, vo.KMSVerifierProviderOptions, providersFromFlags("verifier", cmd.Flags()))
if err != nil {
return fmt.Errorf("failed to load signer: %w", err)
Expand Down Expand Up @@ -76,7 +82,7 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
collectionSource = source.NewMultiSource(collectionSource, source.NewArchvistSource(archivistaClient))
}

if vo.KeyPath == "" && len(vo.CAPaths) == 0 && len(verifiers) == 0 {
if vo.KeyPath == "" && len(vo.PolicyCARootPaths) == 0 && len(verifiers) == 0 {
return fmt.Errorf("must supply either a public key, CA certificates or a verifier")
}

Expand All @@ -99,6 +105,57 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
verifiers = append(verifiers, v)
}

var policyRoots []*x509.Certificate
if len(vo.PolicyCARootPaths) > 0 {
for _, caPath := range vo.PolicyCARootPaths {
caFile, err := os.ReadFile(caPath)
if err != nil {
return fmt.Errorf("failed to read root CA certificate file: %w", err)
}

cert, err := cryptoutil.TryParseCertificate(caFile)
if err != nil {
return fmt.Errorf("failed to parse root CA certificate: %w", err)
}

policyRoots = append(policyRoots, cert)
}
}

var policyIntermediates []*x509.Certificate
if len(vo.PolicyCAIntermediatePaths) > 0 {
for _, caPath := range vo.PolicyCAIntermediatePaths {
caFile, err := os.ReadFile(caPath)
if err != nil {
return fmt.Errorf("failed to read intermediate CA certificate file: %w", err)
}

cert, err := cryptoutil.TryParseCertificate(caFile)
if err != nil {
return fmt.Errorf("failed to parse intermediate CA certificate: %w", err)
}

policyRoots = append(policyIntermediates, cert)
}
}

ptsVerifiers := make([]timestamp.TimestampVerifier, 0)
if len(vo.PolicyTimestampServers) > 0 {
for _, server := range vo.PolicyTimestampServers {
f, err := os.ReadFile(server)
if err != nil {
return fmt.Errorf("failed to open Timestamp Server CA certificate file: %w", err)
}

cert, err := cryptoutil.TryParseCertificate(f)
if err != nil {
return fmt.Errorf("failed to parse Timestamp Server CA certificate: %w", err)
}

ptsVerifiers = append(ptsVerifiers, timestamp.NewVerifier(timestamp.VerifyWithCerts([]*x509.Certificate{cert})))
}
}

policyEnvelope, err := policy.LoadPolicy(ctx, vo.PolicyFilePath, archivista_client.NewArchivistaClient(vo.ArchivistaOptions.Url, archivistaClient))
if err != nil {
return fmt.Errorf("failed to open policy file: %w", err)
Expand Down Expand Up @@ -134,6 +191,11 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
verifiers,
witness.VerifyWithSubjectDigests(subjects),
witness.VerifyWithCollectionSource(collectionSource),
witness.VerifyWithPolicyTimestampAuthorities(ptsVerifiers),
witness.VerifyWithPolicyCARoots(policyRoots),
witness.VerifyWithPolicyCAIntermediates(policyIntermediates),
witness.VerifyWithPolicyCertConstraints(vo.PolicyCommonName, vo.PolicyDNSNames, vo.PolicyEmails, vo.PolicyOrganizations, vo.PolicyURIs),
witness.VerifyWithPolicyFulcioCertExtensions(vo.PolicyFulcioCertExtensions),
)
if err != nil {
if verifiedEvidence.StepResults != nil {
Expand Down
125 changes: 125 additions & 0 deletions cmd/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,69 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestVerifyPolicyWithFulcio(t *testing.T) {
workingDir := t.TempDir()
cwd, err := os.Getwd()
if err != nil {
panic(err)
}

err = os.WriteFile(filepath.Join(workingDir, "fulcio.pem"), []byte(fulciopem), 0644)
if err != nil {
panic(err)
}

err = os.WriteFile(filepath.Join(workingDir, "freetsa.pem"), []byte(freetsapem), 0644)
if err != nil {
panic(err)
}

vo := options.VerifyOptions{
PolicyFilePath: filepath.Join(cwd, "../test/fulcio-policy-signed.json"),
PolicyTimestampServers: []string{filepath.Join(workingDir, "freetsa.pem")},
PolicyCARootPaths: []string{filepath.Join(workingDir, "fulcio.pem")},
AttestationFilePaths: []string{filepath.Join(cwd, "../test/test.json")},
ArtifactFilePath: filepath.Join(cwd, "../test/test.txt"),
PolicyCommonName: "*",
PolicyURIs: []string{"*"},
PolicyDNSNames: []string{"*"},
PolicyEmails: []string{"*"},
PolicyOrganizations: []string{"*"},
}

require.NoError(t, runVerify(context.Background(), vo))
}

// Same test but deliberately missing the CA file path for verifying the policy
func TestVerifyPolicyWrongCAFile(t *testing.T) {
workingDir := t.TempDir()
cwd, err := os.Getwd()
if err != nil {
panic(err)
}

// we're going to write the wrong CA file here to ensure that it fails
err = os.WriteFile(filepath.Join(workingDir, "badca.pem"), []byte(freetsapem), 0644)
if err != nil {
panic(err)
}

err = os.WriteFile(filepath.Join(workingDir, "freetsa.pem"), []byte(freetsapem), 0644)
if err != nil {
panic(err)
}

vo := options.VerifyOptions{
PolicyFilePath: filepath.Join(cwd, "../test/fulcio-policy-signed.json"),
PolicyTimestampServers: []string{filepath.Join(workingDir, "freetsa.pem")},
PolicyCARootPaths: []string{filepath.Join(workingDir, "badca.pem")},
AttestationFilePaths: []string{filepath.Join(cwd, "../test/test.json")},
ArtifactFilePath: filepath.Join(cwd, "../test/test.txt"),
}

require.ErrorContains(t, runVerify(context.Background(), vo), "failed to verify policy: attestors failed with error messages\nfailed to verify policy signature: could not verify policy: no valid signatures for the provided verifiers found for keyids:\n")
}

func TestRunVerifyCA(t *testing.T) {
ca, intermediates, leafcert, leafkey := fullChain(t)

Expand Down Expand Up @@ -355,3 +418,65 @@ func createTestRSAKey() (cryptoutil.Signer, cryptoutil.Verifier, []byte, []byte,

return signer, verifier, pemBytes, privKeyBytes, nil
}

const (
fulciopem = `-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----
`
freetsapem = `-----BEGIN CERTIFICATE-----
MIIH/zCCBeegAwIBAgIJAMHphhYNqOmAMA0GCSqGSIb3DQEBDQUAMIGVMREwDwYD
VQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9vdCBDQTEYMBYGA1UEAxMPd3d3LmZy
ZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIw
EAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgTBkJheWVybjELMAkGA1UEBhMCREUw
HhcNMTYwMzEzMDE1MjEzWhcNNDEwMzA3MDE1MjEzWjCBlTERMA8GA1UEChMIRnJl
ZSBUU0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9y
ZzEiMCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJ
V3VlcnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgKODjAy8REQ2WTNqUudAnjhlCrpE6ql
mQfNppeTmVvZrH4zutn+NwTaHAGpjSGv4/WRpZ1wZ3BRZ5mPUBZyLgq0YrIfQ5Fx
0s/MRZPzc1r3lKWrMR9sAQx4mN4z11xFEO529L0dFJjPF9MD8Gpd2feWzGyptlel
b+PqT+++fOa2oY0+NaMM7l/xcNHPOaMz0/2olk0i22hbKeVhvokPCqhFhzsuhKsm
q4Of/o+t6dI7sx5h0nPMm4gGSRhfq+z6BTRgCrqQG2FOLoVFgt6iIm/BnNffUr7V
DYd3zZmIwFOj/H3DKHoGik/xK3E82YA2ZulVOFRW/zj4ApjPa5OFbpIkd0pmzxzd
EcL479hSA9dFiyVmSxPtY5ze1P+BE9bMU1PScpRzw8MHFXxyKqW13Qv7LWw4sbk3
SciB7GACbQiVGzgkvXG6y85HOuvWNvC5GLSiyP9GlPB0V68tbxz4JVTRdw/Xn/XT
FNzRBM3cq8lBOAVt/PAX5+uFcv1S9wFE8YjaBfWCP1jdBil+c4e+0tdywT2oJmYB
BF/kEt1wmGwMmHunNEuQNzh1FtJY54hbUfiWi38mASE7xMtMhfj/C4SvapiDN837
gYaPfs8x3KZxbX7C3YAsFnJinlwAUss1fdKar8Q/YVs7H/nU4c4Ixxxz4f67fcVq
M2ITKentbCMCAwEAAaOCAk4wggJKMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQD
AgHGMB0GA1UdDgQWBBT6VQ2MNGZRQ0z357OnbJWveuaklzCBygYDVR0jBIHCMIG/
gBT6VQ2MNGZRQ0z357OnbJWveuakl6GBm6SBmDCBlTERMA8GA1UEChMIRnJlZSBU
U0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9yZzEi
MCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJV3Vl
cnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFggkAwemGFg2o6YAw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy5mcmVldHNhLm9yZy9yb290X2Nh
LmNybDCBzwYDVR0gBIHHMIHEMIHBBgorBgEEAYHyJAEBMIGyMDMGCCsGAQUFBwIB
FidodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2ZyZWV0c2FfY3BzLmh0bWwwMgYIKwYB
BQUHAgEWJmh0dHA6Ly93d3cuZnJlZXRzYS5vcmcvZnJlZXRzYV9jcHMucGRmMEcG
CCsGAQUFBwICMDsaOUZyZWVUU0EgdHJ1c3RlZCB0aW1lc3RhbXBpbmcgU29mdHdh
cmUgYXMgYSBTZXJ2aWNlIChTYWFTKTA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUH
MAGGG2h0dHA6Ly93d3cuZnJlZXRzYS5vcmc6MjU2MDANBgkqhkiG9w0BAQ0FAAOC
AgEAaK9+v5OFYu9M6ztYC+L69sw1omdyli89lZAfpWMMh9CRmJhM6KBqM/ipwoLt
nxyxGsbCPhcQjuTvzm+ylN6VwTMmIlVyVSLKYZcdSjt/eCUN+41K7sD7GVmxZBAF
ILnBDmTGJmLkrU0KuuIpj8lI/E6Z6NnmuP2+RAQSHsfBQi6sssnXMo4HOW5gtPO7
gDrUpVXID++1P4XndkoKn7Svw5n0zS9fv1hxBcYIHPPQUze2u30bAQt0n0iIyRLz
aWuhtpAtd7ffwEbASgzB7E+NGF4tpV37e8KiA2xiGSRqT5ndu28fgpOY87gD3ArZ
DctZvvTCfHdAS5kEO3gnGGeZEVLDmfEsv8TGJa3AljVa5E40IQDsUXpQLi8G+UC4
1DWZu8EVT4rnYaCw1VX7ShOR1PNCCvjb8S8tfdudd9zhU3gEB0rxdeTy1tVbNLXW
99y90xcwr1ZIDUwM/xQ/noO8FRhm0LoPC73Ef+J4ZBdrvWwauF3zJe33d4ibxEcb
8/pz5WzFkeixYM2nsHhqHsBKw7JPouKNXRnl5IAE1eFmqDyC7G/VT7OF669xM6hb
Ut5G21JE4cNK6NNucS+fzg1JPX0+3VhsYZjj7D5uljRvQXrJ8iHgr/M6j2oLHvTA
I2MLdq2qjZFDOCXsxBxJpbmLGBx9ow6ZerlUxzws2AWv2pk=
-----END CERTIFICATE-----`
)
50 changes: 32 additions & 18 deletions docs/commands.md
Original file line number Diff line number Diff line change
Expand Up @@ -170,24 +170,38 @@ witness verify [flags]
### Options

```
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-f, --artifactfile string Path to the artifact to verify
-a, --attestations strings Attestation files to test against the policy
--enable-archivista Use Archivista to store or retrieve attestations
-h, --help help for verify
-p, --policy string Path to the policy to verify
--policy-ca strings Paths to CA certificates to use for verifying the policy
-k, --publickey string Path to the policy signer's public key
-s, --subjects strings Additional subjects to lookup attestations
--verifier-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--verifier-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--verifier-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--verifier-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--verifier-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--verifier-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--verifier-kms-hashType string The hash type used for verifying (default "sha256")
--verifier-kms-keyVersion string The key version to use for signing
--verifier-kms-ref string The KMS Reference URI to use for connecting to the KMS service
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-f, --artifactfile string Path to the artifact to verify
-a, --attestations strings Attestation files to test against the policy
--enable-archivista Use Archivista to store or retrieve attestations
-h, --help help for verify
-p, --policy string Path to the policy to verify
--policy-ca strings Paths to CA certificates to use for verifying the policy (deprecated: use --policy-ca-roots instead)
--policy-ca-intermediates strings Paths to CA intermediate certificates to use for verifying a policy signed with x.509
--policy-ca-roots strings Paths to CA root certificates to use for verifying a policy signed with x.509
--policy-commonname string The common name to use when verifying a policy signed with x.509 (default "*")
--policy-dns-names strings The DNS names to use when verifying a policy signed with x.509 (default [*])
--policy-emails strings The DNS names to use when verifying a policy signed with x.509 (default [*])
--policy-fulcio-build-trigger string Event or action that initiated the build.
--policy-fulcio-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
--policy-fulcio-run-invocation-uri string Run Invocation URL to uniquely identify the build execution.
--policy-fulcio-source-repository-digest string Immutable reference to a specific version of the source code that the build was based upon.
--policy-fulcio-source-repository-identifier string Immutable identifier for the source repository the workflow was based upon.
--policy-fulcio-source-repository-ref string Source Repository Ref that the build run was based upon.
--policy-organizations strings The organizations to use when verifying a policy signed with x.509 (default [*])
--policy-timestamp-servers strings Paths to the CA certificates for Timestamp Authority Servers to use when verifying policy signed with x.509
--policy-uris strings The URIs to use when verifying a policy signed with x.509 (default [*])
-k, --publickey string Path to the policy signer's public key
-s, --subjects strings Additional subjects to lookup attestations
--verifier-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--verifier-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--verifier-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--verifier-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--verifier-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--verifier-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--verifier-kms-hashType string The hash type used for verifying (default "sha256")
--verifier-kms-keyVersion string The key version to use for signing
--verifier-kms-ref string The KMS Reference URI to use for connecting to the KMS service
```

### Options inherited from parent commands
Expand Down
20 changes: 10 additions & 10 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ go 1.22.0
toolchain go1.22.2

require (
github.com/in-toto/go-witness v0.3.2-0.20240510181827-f346f85d8c53
github.com/in-toto/go-witness v0.3.2-0.20240514141512-777497a51359
github.com/olekukonko/tablewriter v0.0.5
github.com/sigstore/fulcio v1.4.5
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
Expand Down Expand Up @@ -40,18 +41,18 @@ require (
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aws/aws-sdk-go v1.50.38 // indirect
github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.13 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.13 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.31.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 // indirect
github.com/aws/smithy-go v1.20.2 // indirect
github.com/bahlo/generic-list-go v0.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
Expand Down Expand Up @@ -89,7 +90,7 @@ require (
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
github.com/in-toto/archivista v0.4.0 // indirect
github.com/in-toto/attestation v1.0.1 // indirect
github.com/in-toto/attestation v1.0.2 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/invopop/jsonschema v0.12.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
Expand Down Expand Up @@ -120,7 +121,6 @@ require (
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/sigstore/fulcio v1.4.5 // indirect
github.com/sigstore/sigstore v1.8.3 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
Expand Down Expand Up @@ -159,7 +159,7 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
google.golang.org/grpc v1.63.2 // indirect
google.golang.org/protobuf v1.34.0 // indirect
google.golang.org/protobuf v1.34.1 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
Expand Down
Loading

0 comments on commit b951db3

Please sign in to comment.