Skip to content

Commit

Permalink
default to generating dsse rekor entries (#1270)
Browse files Browse the repository at this point in the history 
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
@bdehamer
bdehamer authored Oct 10, 2024
1 parent 2e58489 commit 64cae89
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 65 deletions.
5 changes: 5 additions & 0 deletions .changeset/tame-clouds-sparkle.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sigstore/sign': major
---

Default `RekorWitness` to generating "dsse" entries instead of "intoto"
1 change: 1 addition & 0 deletions packages/client/src/config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ function initWitnesses(options: SignOptions): Witness[] {
witnesses.push(
new RekorWitness({
rekorBaseURL: options.rekorURL,
entryType: 'intoto',
fetchOnConflict: false,
retry: options.retry ?? DEFAULT_RETRY,
timeout: options.timeout ?? DEFAULT_TIMEOUT,
Expand Down
2 changes: 1 addition & 1 deletion packages/sign/src/__tests__/integration.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ describe('artifact signing', () => {

expect(bundle.verificationMaterial.tlogEntries).toHaveLength(1);
expect(bundle.verificationMaterial.tlogEntries[0].kindVersion.kind).toBe(
'intoto'
'dsse'
);

expect(
Expand Down
114 changes: 55 additions & 59 deletions packages/sign/src/__tests__/witness/tlog/entry.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,42 +74,16 @@ describe('toProposedEntry', () => {
it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey);

assert(entry.apiVersion === '0.0.2');
assert(entry.kind === 'intoto');
assert(entry.apiVersion === '0.0.1');
assert(entry.kind === 'dsse');
expect(entry.spec).toBeTruthy();
expect(entry.spec.content).toBeTruthy();
expect(entry.spec.content.envelope).toBeTruthy();

const e = entry.spec.content.envelope;
expect(e?.payloadType).toEqual(sigBundle.dsseEnvelope.payloadType);
expect(e?.payload).toEqual(
enc.base64Encode(sigBundle.dsseEnvelope.payload.toString('base64'))
);
expect(e?.signatures).toHaveLength(1);
expect(e?.signatures[0].keyid).toEqual(
sigBundle.dsseEnvelope.signatures[0].keyid
);
expect(e?.signatures[0].sig).toEqual(
enc.base64Encode(
sigBundle.dsseEnvelope.signatures[0].sig.toString('base64')
)
);
expect(e?.signatures[0].publicKey).toEqual(enc.base64Encode(publicKey));

expect(entry.spec.content.payloadHash).toBeTruthy();
expect(entry.spec.content.payloadHash?.algorithm).toBe('sha256');
expect(entry.spec.content.payloadHash?.value).toBe(
crypto
.digest('sha256', sigBundle.dsseEnvelope.payload)
.toString('hex')
expect(entry.spec.proposedContent).toBeTruthy();
expect(entry.spec.proposedContent?.envelope).toEqual(
JSON.stringify(envelopeToJSON(sigBundle.dsseEnvelope))
);
expect(entry.spec.content.hash).toBeTruthy();
expect(entry.spec.content.hash?.algorithm).toBe('sha256');

// This hard-coded hash value helps us detect if we've unintentionally
// changed the hashing algorithm.
expect(entry.spec.content.hash?.value).toBe(
'37d47ab456ca63a84f6457be655dd49799542f2e1db5d05160b214fb0b9a7f55'
expect(entry.spec.proposedContent?.verifiers).toHaveLength(1);
expect(entry.spec.proposedContent?.verifiers[0]).toEqual(
enc.base64Encode(publicKey)
);
});
});
Expand All @@ -125,7 +99,7 @@ describe('toProposedEntry', () => {
};

it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey);
const entry = toProposedEntry(sigBundle, publicKey, 'intoto');

assert(entry.apiVersion === '0.0.2');
assert(entry.kind === 'intoto');
Expand Down Expand Up @@ -178,30 +152,52 @@ describe('toProposedEntry', () => {
},
};

it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey);

assert(entry.apiVersion === '0.0.2');
assert(entry.kind === 'intoto');

// Check to ensure only the first signature is included in the envelope
const e = entry.spec.content.envelope;
expect(e?.signatures).toHaveLength(1);
expect(e?.signatures[0].keyid).toEqual(
sigBundle.dsseEnvelope.signatures[0].keyid
);
expect(e?.signatures[0].sig).toEqual(
enc.base64Encode(
sigBundle.dsseEnvelope.signatures[0].sig.toString('base64')
)
);
expect(e?.signatures[0].publicKey).toEqual(enc.base64Encode(publicKey));
describe('when asking for an intoto entry', () => {
it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey, 'intoto');

assert(entry.apiVersion === '0.0.2');
assert(entry.kind === 'intoto');

// Check to ensure only the first signature is included in the envelope
const e = entry.spec.content.envelope;
expect(e?.signatures).toHaveLength(1);
expect(e?.signatures[0].keyid).toEqual(
sigBundle.dsseEnvelope.signatures[0].keyid
);
expect(e?.signatures[0].sig).toEqual(
enc.base64Encode(
sigBundle.dsseEnvelope.signatures[0].sig.toString('base64')
)
);
expect(e?.signatures[0].publicKey).toEqual(
enc.base64Encode(publicKey)
);

// This hard-coded hash value helps us detect if we've unintentionally
// changed the hashing algorithm.
expect(entry.spec.content.hash?.value).toBe(
'37d47ab456ca63a84f6457be655dd49799542f2e1db5d05160b214fb0b9a7f55'
);
});
});

// This hard-coded hash value helps us detect if we've unintentionally
// changed the hashing algorithm.
expect(entry.spec.content.hash?.value).toBe(
'37d47ab456ca63a84f6457be655dd49799542f2e1db5d05160b214fb0b9a7f55'
);
describe('when asking for a dsse entry', () => {
it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey, 'dsse');

assert(entry.apiVersion === '0.0.1');
assert(entry.kind === 'dsse');

expect(entry.spec.proposedContent).toBeTruthy();
expect(entry.spec.proposedContent?.envelope).toEqual(
JSON.stringify(envelopeToJSON(sigBundle.dsseEnvelope))
);
expect(entry.spec.proposedContent?.verifiers).toHaveLength(1);
expect(entry.spec.proposedContent?.verifiers[0]).toEqual(
enc.base64Encode(publicKey)
);
});
});
});
});
Expand All @@ -218,7 +214,7 @@ describe('toProposedEntry', () => {
};

it('return a valid ProposedEntry entry', () => {
const entry = toProposedEntry(sigBundle, publicKey, 'dsse');
const entry = toProposedEntry(sigBundle, publicKey);

assert(entry.apiVersion === '0.0.1');
assert(entry.kind === 'dsse');
Expand Down
10 changes: 5 additions & 5 deletions packages/sign/src/witness/tlog/entry.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,15 @@ export function toProposedEntry(
content: SignatureBundle,
publicKey: string,
// TODO: Remove this parameter once have completely switched to 'dsse' entries
entryType: 'dsse' | 'intoto' = 'intoto'
entryType: 'dsse' | 'intoto' = 'dsse'
): ProposedEntry {
switch (content.$case) {
case 'dsseEnvelope':
// TODO: Remove this conditional once have completely switched to 'dsse' entries
if (entryType === 'dsse') {
return toProposedDSSEEntry(content.dsseEnvelope, publicKey);
// TODO: Remove this conditional once have completely ditched "intoto" entries
if (entryType === 'intoto') {
return toProposedIntotoEntry(content.dsseEnvelope, publicKey);
}
return toProposedIntotoEntry(content.dsseEnvelope, publicKey);
return toProposedDSSEEntry(content.dsseEnvelope, publicKey);
case 'messageSignature':
return toProposedHashedRekordEntry(content.messageSignature, publicKey);
}
Expand Down

0 comments on commit 64cae89

Please sign in to comment.