Add verify-blob-attestation command and tests #2337
Conversation
priyawadhwa
force-pushed
the
verify-attest-blob
branch
2 times, most recently
from
864be03
to
0873f39
Compare
Codecov Report
@@ Coverage Diff @@
## main #2337 +/- ##
==========================================
- Coverage 29.99% 29.80% -0.20%
==========================================
Files 133 134 +1
Lines 8142 8275 +133
==========================================
+ Hits 2442 2466 +24
- Misses 5376 5479 +103
- Partials 324 330 +6
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
priyawadhwa
force-pushed
the
verify-attest-blob
branch
4 times, most recently
from
9fb4747
to
a1468dc
Compare
Signed-off-by: Priya Wadhwa <[email protected]>
priyawadhwa
force-pushed
the
verify-attest-blob
branch
from
a1468dc
to
d7bd9d0
Compare
| if statement.Subject == nil { | ||
| return fmt.Errorf("no subject in intoto statement") | ||
| } | ||
| if len(statement.Subject) != 1 { |
There was a problem hiding this comment.
should this definitely be a requirement? if the attestation signed over say, a jar file and a pom file, the attestation should verify against the jar file, right?
There was a problem hiding this comment.
it's sad that IntotoSubjectClaimVerifier logic needs refactoring to be reused..
There was a problem hiding this comment.
Ah I added this in because attest-blob only allows one subject at the moment. I can remove this requirement in a follow-up PR though!
|
I just realized: this will deprecate yay! that had some problems anyway |
Signed-off-by: Ville Aikas <[email protected]>
| @@ -154,3 +154,23 @@ func (o *VerifyDockerfileOptions) AddFlags(cmd *cobra.Command) { | |||
| cmd.Flags().BoolVar(&o.BaseImageOnly, "base-image-only", false, | |||
| "only verify the base image (the last FROM image in the Dockerfile)") | |||
| } | |||
|
|
|||
| // VerifyBlobOptions is the top level wrapper for the `verify blob` command. | |||
There was a problem hiding this comment.
nit, this seems like cut&paste?
VerifyBlobAttestationOptions is ... verify-blob-attestation command.
|
|
||
| The signature may be specified as a path to a file or a base64 encoded string. | ||
| The blob may be specified as a path to a file.`, | ||
| Example: ` cosign verify-blob-attestastion (--key <key path>|<key url>|<kms uri>) --signature <sig> [path to BLOB] |
There was a problem hiding this comment.
nit verify-blob-attestation
| Example: ` cosign verify-blob-attestastion (--key <key path>|<key url>|<kms uri>) --signature <sig> [path to BLOB] | ||
|
|
||
| # Verify a simple blob attestation with a DSSE style signature | ||
| cosign verify-blob-attestastion --key cosign.pub (--signature <sig path>|<sig url>)[path to BLOB] |
* Nits for #2337 Signed-off-by: Ville Aikas <[email protected]> * run docgen. Signed-off-by: Ville Aikas <[email protected]> Signed-off-by: Ville Aikas <[email protected]>
Summary
Release Note
Documentation