Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor bundle validation code, add support for DSSE rekor type #3016

Merged
merged 7 commits into from
Jun 15, 2023

Conversation

bobcallaway
Copy link
Member

Summary

This refactors the bundle verification code to only parse entry JSON once, and use reflection to determine the appropriate way to extract the Rekor-type specific information.

Also adds support for the newly added DSSE type in Rekor (currently only deployed to staging, not production). I will propose a new PR to switch over the default behavior to use dsse instead of intoto Rekor type once this goes live into production.

Release Note

NONE

Documentation

@codecov
Copy link

codecov bot commented May 30, 2023

Codecov Report

Merging #3016 (eb62e59) into main (80c0f88) will decrease coverage by 0.07%.
The diff coverage is 21.91%.

@@            Coverage Diff             @@
##             main    #3016      +/-   ##
==========================================
- Coverage   31.06%   31.00%   -0.07%     
==========================================
  Files         155      155              
  Lines        9744     9712      -32     
==========================================
- Hits         3027     3011      -16     
+ Misses       6255     6250       -5     
+ Partials      462      451      -11     
Impacted Files Coverage Δ
pkg/cosign/tlog.go 37.13% <0.00%> (-2.07%) ⬇️
pkg/cosign/verify.go 37.51% <29.09%> (+0.28%) ⬆️

cmd/cosign/cli/verify/verify_blob_test.go Outdated Show resolved Hide resolved
pkg/cosign/tlog.go Outdated Show resolved Hide resolved
pkg/cosign/verify.go Outdated Show resolved Hide resolved
case *rekord_v001.V001Entry:
return entry.RekordObj.Signature.Content.String(), nil
default:
return "", errors.New("unsupported type")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about intoto types? I see we didn't try to extract signatures previously, but isn't that a gap?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in compareSigs if an actual attestation is stored in OCI, the signature from the DSSE envelope is not stored as a separate file (as it would be with other types) so the verification is done elsewhere.

@cpanato
Copy link
Member

cpanato commented Jun 6, 2023

needs rebase

@haydentherapper
Copy link
Contributor

LGTM to me, just one comment on a test. @bobcallaway do you want to also update this PR to switch the default type to dsse too since the Rekor update is now in prod?

Signed-off-by: Bob Callaway <[email protected]>
@haydentherapper
Copy link
Contributor

@bobcallaway is this ready to go?

@cpanato
Copy link
Member

cpanato commented Jun 15, 2023

@haydentherapper @bobcallaway, after this can we cut a release?

hectorj2f
hectorj2f previously approved these changes Jun 15, 2023
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cpanato
Copy link
Member

cpanato commented Jun 15, 2023

@bobcallaway need rebase

@bobcallaway bobcallaway enabled auto-merge (squash) June 15, 2023 18:25
@bobcallaway bobcallaway merged commit 7739f5f into sigstore:main Jun 15, 2023
@github-actions github-actions bot added this to the v1.14.0 milestone Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants