-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intoto v0.0.2 #973
Intoto v0.0.2 #973
Conversation
3c47eb1
to
404d041
Compare
// verifyEnvelope takes in an array of possible key bytes and attempts to parse them as x509 public keys. | ||
// it then uses these to verify the envelope and makes sure that every signature on the envelope is verified. | ||
// it returns a map of verifiers indexed by the signature the verifier corresponds to. | ||
func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x509.PublicKey, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way we can use the DSSE signer/verifier implementation from https://pkg.go.dev/github.com/sigstore/[email protected]/pkg/signature/dsse instead of re-implementing it here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me look to use this instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the implementation provided by sigstore does not provide the functionality in mapping the keys to the valid signature. The sigstore implementation just validates all the signatures with the pub keys but we further do mapping of the keys to sigs to create the log entry. We could create a issue to track this and update sigstore to add this functionality there?
@bobcallaway Ready for another review. |
c4bc858
to
d855eea
Compare
Codecov Report
@@ Coverage Diff @@
## main #973 +/- ##
==========================================
+ Coverage 48.06% 48.17% +0.11%
==========================================
Files 61 62 +1
Lines 5413 5741 +328
==========================================
+ Hits 2602 2766 +164
- Misses 2528 2676 +148
- Partials 283 299 +16
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Looks like something is up with codegen here.... |
looks like some of the path names in |
Looks like the Makefile is doing unwanted substitution?
|
#984 pushed to fix this |
Tests seem stuck here. |
Github is back, you might need to force push/rebase to kick the tests though. |
994694d
to
f0417be
Compare
Updating the tests. |
9ddbccb
to
c2cc210
Compare
Any thoughts on why the e2e test fail on |
I ran it locally and got this error:
probably related to this comment https://github.com/sigstore/rekor/pull/973/files#r948283591 |
Still getting the same error on the e2e test: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This may be a very late drive-by on the schema: but I have a major question about the schema's payload and payloadHash
pkg/types/alpine/v0.0.1/entry.go
Outdated
if err != nil { | ||
return nil, fmt.Errorf("error reading public key file: %w", err) | ||
if len(publicKeyBytes) == 0 { | ||
if len(props.PublicKeyPath) > 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: for simplicity just use if len(props.PublicKeyPath) != 1
? then no need for the second if clause
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/types/cose/v0.0.1/entry.go
Outdated
publicKeyBytes, err = ioutil.ReadFile(filepath.Clean(props.PublicKeyPath.Path)) | ||
if err != nil { | ||
return nil, fmt.Errorf("error reading public key file: %w", err) | ||
if len(props.PublicKeyPath) > 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
again, could consolidate the >1
and ==1
check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/types/alpine/v0.0.1/entry.go
Outdated
} else { | ||
re.AlpineModel.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes) | ||
re.AlpineModel.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should there be a warning when more than one public key byte files are provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup will add.
Adds a DSSE envelope type to rekor. If the DSSE envelope's payload is an in-toto statement the in-toto subjects will be used as indices for the envelope's rekord. If the envelope's payload is within the server's configured attestation size the payload will be stored as an attestation. Signed-off-by: Mikhail Swift <[email protected]> Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Signed-off-by: pxp928 <[email protected]>
Everything is passing! Is this on track to merge this week @bobcallaway? |
@pxp928 and I are debugging hopefully the final issue before merge now |
2fa4649
to
0826315
Compare
Signed-off-by: pxp928 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the hard work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!!
YESSS! |
The intoto v001 type does not persist signatures of the DSSE envelope, as noted in sigstore/rekor#973. We introduced an intoto v002 type shortly after to fix this, but since then, we've introduced another newer type, DSSE v001, which also does not persist the attestation in Rekor (as we discourage using Rekor as storage). I also updated the verifier in slsa-framework/slsa-verifier#742 to search for both Rekor entry types. Signed-off-by: Hayden Blauzvern <[email protected]>
The intoto v001 type does not persist signatures of the DSSE envelope, as noted in sigstore/rekor#973. We introduced an intoto v002 type shortly after to fix this, but since then, we've introduced another newer type, DSSE v001, which also does not persist the attestation in Rekor (as we discourage using Rekor as storage). I also updated the verifier in slsa-framework/slsa-verifier#742 to search for both Rekor entry types. # Summary ... ## Testing Process ... ## Checklist - [ ] Review the contributing [guidelines](./../CONTRIBUTING.md) - [ ] Add a reference to related issues in the PR description. - [ ] Update documentation if applicable. - [ ] Add unit tests if applicable. - [ ] Add changes to the [CHANGELOG](./../CHANGELOG.md) if applicable. --------- Signed-off-by: Hayden Blauzvern <[email protected]> Signed-off-by: Hayden B <[email protected]> Signed-off-by: laurentsimon <[email protected]> Co-authored-by: laurentsimon <[email protected]>
Summary
The current implementation of the intoto type within Rekor does not persist the signatures from the wrapping DSSE envelope into the log entry stored by Trillian. This makes it impossible to independently verify the cryptographic validity of the entry without possession of the original DSSE envelope.
Based on the discussion and design doc, it was decided to create a v0.0.2 of the intoto Rekor type with changes from v0.0.1. In addition also persisting multiple public keys and signatures.
Design Doc - https://docs.google.com/document/d/17gB598uEkoxx8j9sDhrvfhuNFHW5BSsWEiMP8POn8xo/edit?resourcekey=0-1H4eG4-4-UQYIEXZgj6AKQ#heading=h.6dq5va2kfzsw
Fixes #582
Release Note
Adds new v0.0.2 for intoto type into rekor for support of DSSE envelope with multi signature and public key
Documentation