Allow provenance-less endorsement generation

[rbehjati]

Fixes #236 and #234

• Replaces ReferenceValues with VerificationOptions, which may or may not contain a ProvenanceReferenceValue object. The new VerificationOptions type allows invoking endorsement generation in the absence of any provenances.
• To get a good balance between expressiveness and simplicity, VerificationOptions is a protobuf.
• Consequently, toml files for reference value specification are replaced with textproto files.
• Removes binary digest from reference values, and explicitly passes it, alongside binary name, to GenerateEndorsement. This is required to enable provenance-less endorsement generation.

It's a good idea to open an issue first for discussion.

• Tests pass
• Appropriate changes to README are included in PR

[mariaschett]

Intermediate Comments :)

[mariaschett]

What are reference values here? Are they inside the VerificationOptions?

[rbehjati]

Thanks. Updated the comment. I meant VerificationOptions.

[mariaschett]

nit: what is a "provenance reference" and is it the same as a "reference provenance" in line 53?

[rbehjati]

Yes. I meant "reference provenance".

[mariaschett]

Not sure, but I think generally all fields to be optional is preferred. Happy to discuss offline!

[rbehjati]

I think you are right. The guidelines say:

Make all fields optional or repeated. You never know how long a message type is going to last and whether someone will be forced to fill in your required field with an empty string or zero in four years when it’s no longer logically required but the proto still says it is.

But I think for primitive fields it should be fine. Even though I have not made them explicitly optional, I can leave them unset.

Making them optional causes additional an unnecessary indirection, which does not look right.

[tiziano88]

In proto3, everything is optional by default.

[rbehjati]

I removed optional from other fields too. Here is the change in the generated Go code. Some oneof annotation and a oneof wrapper are removed. I am not sure if it has any serious impact on serialization.

[rbehjati]

Thanks for the review.

[rbehjati]

I think you are right. The guidelines say:

Make all fields optional or repeated. You never know how long a message type is going to last and whether someone will be forced to fill in your required field with an empty string or zero in four years when it’s no longer logically required but the proto still says it is.

But I think for primitive fields it should be fine. Even though I have not made them explicitly optional, I can leave them unset.

Making them optional causes additional an unnecessary indirection, which does not look right.

[rbehjati]

Thanks. Updated the comment. I meant VerificationOptions.

[rbehjati]

Yes. I meant "reference provenance".

[mariaschett]

I might be missing something on how SkipProvenanceVerification and the list of provenances interact. Could you have a look and let me know?

[mariaschett]

A design question: might it happen, that I accidentially endorse something if I forget to add a provenance? Do we want to make this more explict? E.g., make GenerateEndorsement private but expose two methods GenerateEndorsementWithProvenance and GenerateEndorsementWithoutProvenance?

[rbehjati]

That is being handled by the VerificationOptions. It requires explicitly setting skip provenance verification. If that is not set, at least one provenance is required.

So I'd say those accidents are unlikely.

[mariaschett]

Just checking: Don't you get from oneof in the proto definition that exactly one of verOpt is not nil?

[rbehjati]

No. I think this is a shortcoming of Go. I was able to create an instance where both options are null, so I had to add this check.

[mariaschett]

Ah, thanks! I'd have expected...

[mariaschett]

I am trying to understand what happens if we have multiple provenances but SkipProvenanceVerification.

IIUC the control flow lands here, but then GetReferenceProvenance would be nil? Is this okay with verifyProvenances?

On a higher level: What do we expect to happen then?

[rbehjati]

We expect the provenances to be consistent, but they are not verified against a set of reference values. Added tests to cover these scenarios.

[mariaschett]

Thanks, sounds good!

Just to double check: In the GetReferenceProvenance case, verifyProvenances will get nil for GetReferenceProvenance.

[rbehjati]

Good catch. Yes. verifyProvenances is called with a nil. Added a check to immediately return if the input ProvenanceReferenceValues is nil.

[mariaschett]

What happens if you give provenances and also set SkipProvenanceVerification?

[rbehjati]

Added a few tests and updated the documentation on GenerateEndorsement. It generates an endorsement with the given provenances as evidence, if the provenances are consistent and match the given subject.

Let me know if you expect some other behavior.

[mariaschett]

Hmmm... I am not sure I would expect "unverified provenances" as evidence, but actually: why not?

However, is it clear afterwards if the provenances were verified? Or does that not really matter?

[rbehjati]

They are not totally unverified. But they are not verified against a set of reference values. Actually this is similar to providing verification options with an empty ReferenceProvenance. Except that the latter enforces having some provenances. Clarified this, and renamed SkipVerification to EndorseProvenanceLess to be clear that we are not skipping the entire verification logic.

However, is it clear afterwards if the provenances were verified? Or does that not really matter?

Currently we don't include the verification options in the endorsement, but I think it is a good idea to include it. As an extension. Created #238.

[tiziano88]

FYI this is mostly solved by bazel and / or nix. Especially since the instructions here refer to latest, which will stop working at some point.

[rbehjati]

Thanks. We used to use bazel in this repo, and it caused a lot of problems. I think this is fine for now.

[tiziano88]

Having two different packages with the same name but in different locations in the same repo seems problematic. Maybe one of them should be renamed at some point

[rbehjati]

I agree, but I cannot think of a better name. I don't like long names with underscore in them.
Do you have any suggestions?

[rbehjati]

Renamed the other verification into verifier. The only files in it now are verifier.go and verifier_test.go so I think that makes sense.

[tiziano88]

Suggested change

	binaryHash = "d059c38cea82047ad316a1c6c6fbd13ecf7a0abdcc375463920bd25bf5c142cc"
	binaryDigestSha256 = "d059c38cea82047ad316a1c6c6fbd13ecf7a0abdcc375463920bd25bf5c142cc"

for consistency

[rbehjati]

Done.

[tiziano88]

Remove?

[rbehjati]

The template kept these as commented out. I think this is for convenience to be able to enable or disable them easily.

[tiziano88]

Ideally the tests (and the functions under tests) would not rely on the current time, but would accept a reference time from the outside. This will make them easier to test (without having to depend on relative times), and also avoid actual bugs (TOCTOU and related issues, if multiple functions get their own time.Now() independently at slightly different times).

[rbehjati]

For the endorsement to be valid the notBefore time should be after the issued time, which uses the current time. For the test to pass, we have to use the current time here.

[tiziano88]

I thought we were using the numeric multihash id somewhere else (from https://github.com/multiformats/multicodec/blob/master/table.csv ).

in particular sha256 is ambiguous; it should be sha2-256 or something like that, to be unambiguos -- but the numeric id solves that problem (without having to actual implement full multihash -- I don't think we should do that for now).

[rbehjati]

Not in this repo. This repo follows the in-toto and SLSA style of using digests. We can change that in the future, but that is out of the scope of this PR.

[rbehjati]

Thanks for the reviews.

[rbehjati]

That is being handled by the VerificationOptions. It requires explicitly setting skip provenance verification. If that is not set, at least one provenance is required.

So I'd say those accidents are unlikely.

[rbehjati]

No. I think this is a shortcoming of Go. I was able to create an instance where both options are null, so I had to add this check.

[rbehjati]

We expect the provenances to be consistent, but they are not verified against a set of reference values. Added tests to cover these scenarios.

[rbehjati]

Added a few tests and updated the documentation on GenerateEndorsement. It generates an endorsement with the given provenances as evidence, if the provenances are consistent and match the given subject.

Let me know if you expect some other behavior.

[rbehjati]

Thanks. We used to use bazel in this repo, and it caused a lot of problems. I think this is fine for now.

[rbehjati]

The template kept these as commented out. I think this is for convenience to be able to enable or disable them easily.

[rbehjati]

Done.

[rbehjati]

For the endorsement to be valid the notBefore time should be after the issued time, which uses the current time. For the test to pass, we have to use the current time here.

[rbehjati]

Not in this repo. This repo follows the in-toto and SLSA style of using digests. We can change that in the future, but that is out of the scope of this PR.

[rbehjati]

I agree, but I cannot think of a better name. I don't like long names with underscore in them.
Do you have any suggestions?

[mariaschett]

Looks good, added a couple more comments, where I wasn't 100% sure.

[mariaschett]

Ah, thanks! I'd have expected...

[mariaschett]

Hmmm... I am not sure I would expect "unverified provenances" as evidence, but actually: why not?

However, is it clear afterwards if the provenances were verified? Or does that not really matter?

[mariaschett]

Thanks, sounds good!

Just to double check: In the GetReferenceProvenance case, verifyProvenances will get nil for GetReferenceProvenance.

[mariaschett]

Maybe add a comment what happens if prover.ProvenanceReferenceValues == nil?

[rbehjati]

Done.