Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor policy related code, add support for vuln verify #1747

Merged
merged 3 commits into from
Apr 12, 2022

Conversation

vaikas
Copy link
Contributor

@vaikas vaikas commented Apr 12, 2022

Signed-off-by: Ville Aikas vaikas@chainguard.dev

Summary

  • Add support for vuln attestation in verify-attestation
  • Refactor the attestation => json related bits for reusability + add UT
  • Adds example in-toto attestations for custom / vuln attestations in a form of testdata files, so folks can see examples
  • Add e2e tests + example vuln predicate as well as cue policies for validating vuln statements.

Ticket Link

Fixes

Release Note

Add support for vuln attestation in verify-attestation

Verified

This commit was signed with the committer’s verified signature.
DavideD Davide D'Alto
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@@ -122,7 +121,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
return errors.Wrap(err, "loading certificate from reference")
}
if c.CertChain == "" {
co.SigVerifier, err = signature.LoadVerifier(cert.PublicKey, crypto.SHA256)
co.SigVerifier, err = signature.LoadECDSAVerifier(cert.PublicKey.(*ecdsa.PublicKey), crypto.SHA256)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Umm, this seems a regression, as we will want to support ECDS and non ECDSA keys

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh snaps, that must have been a bad rebase, Thanks for catching this!!!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was added in #1740

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fun fact, I wanted to take a crack at actually combining these and verify.go flag handling as they are identical (see the name of my branch LOL ), but then went off the rails and did this instead. But I'll try to get to it :)

fi
echo '::endgroup::'

- name: Verify custom attestation with cosign, fails
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

vaikas added 2 commits April 12, 2022 15:22
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas vaikas merged commit cf03ef2 into sigstore:main Apr 12, 2022
@vaikas vaikas deleted the unify-flags branch April 12, 2022 23:06
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 12, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
)

* Refactor policy related code, add support for vuln verify

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Thanks @hectorj2f for catching a bad upstream rebase.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Fix typo.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants