Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Support offline attestation verification: .sigstore file or persisted SET #716

Closed
asraa opened this issue Aug 15, 2022 · 2 comments
Closed

[feature] Support offline attestation verification: .sigstore file or persisted SET #716

asraa opened this issue Aug 15, 2022 · 2 comments
Labels
type:discussion A point of discussion

Comments

@asraa
Copy link
Collaborator

asraa commented Aug 15, 2022

This is a tracking issue and discussion for whether we should move to support the proposed Sigstore's attestation blob format when it is implemented

See https://docs.google.com/document/d/1gucjOA_bGyRjK6TeaOI-X5GIUv8WsPzeMDMkq25Kv4Y/edit#heading=h.we5fqok7jai5
sigstore/cosign#2131

Describe the solution you'd like
This would require outputting .sigstore files instead of .intoto.jsonl attestation outputs for the blob builders and generators.

These .sigstore files would contain information like signing cert or pk and rekor SET for offline verification.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.
@asraa asraa added type:feature New feature or request status:triage Issue that has not been triaged labels Aug 15, 2022
@asraa asraa changed the title [feature] Support Sigstore's proposed .sigstore file for offline attestation verification [feature] Support offline attestation verification: .sigstore file or persisted SET Aug 17, 2022
@ianlewis ianlewis added type:discussion A point of discussion and removed type:feature New feature or request status:triage Issue that has not been triaged labels Aug 30, 2022
@asraa
Copy link
Collaborator Author

asraa commented Sep 16, 2022

Some updates from the official sigstore bundle PR: the bundle would be a JSON that has the following format, with a sigstore bundle intoto type:

{
  "mediaType": "application/vnd.dev.sigstore.bundle.v1+json",
  "rekorEntry": {
    "logIndex": "123",
    "logId": "logid-123",
    "kind": "intoto",
    "version": "v0.0.1",
    "signedEntryTimestamp": "SET",
    "integratedTime": "1661340393"
  },
  "x509Cert": {
    "certificate": "PEM Encoded string",
    "chain": "PEM Encoded string"
  },
  "attestationDsse": {
    "payload": "eyJrZXkiOiJ2YWx1ZSJ9",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
      {
        "sig": "aGVq"
      }
    ]
  }
}

The attestationDSSE would contain the intoto JSON file. So it a wrapper around the DSSE envelope, with the predicate still held inside an intoto attestation.

For multiple attestations, this bundle file would be concatenated as JSON lines.

The current bundle format is much more simple, but is more prone to error:

{
  "base64Signature": "MEQCIFWOIfIg0KvKk0iA7OZWrpRdQ/bb4gfk9+K6ZGcscsqpAiBKL0Z/sahv3EEadTXTVo1i+1OVC0BvLwsB7TPNQ1z4Nw==",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "MEYCIQCkyFReBLGFzzXjETXqxR+aK2xQVhVLooaAcB/Htp7oQwIhAMkpneby0tUljOM+wcYMDrlDbzFUFZNWzX90XKyS9B9N",
    "Payload": {
      "body": "...",
      "integratedTime": 1662656020,
      "logIndex": 3433946,
      "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
    }
  }
}

where the body is actually the rekor representation, so not the actual DSSE payload. So this format would require distributing both the .intoto.jsonl and this.

@asraa asraa mentioned this issue Oct 13, 2022
Closed
@asraa asraa added this to the 2022 Stability improvements milestone Oct 27, 2022
@ianlewis ianlewis removed this from the 2022 Stability improvements milestone Jan 12, 2023
@haydentherapper haydentherapper mentioned this issue Jul 29, 2024
Closed
@haydentherapper
Copy link
Contributor

Filed #3750, will mark this as a dup. The bundle format should take precedence over individual files.

@haydentherapper haydentherapper closed this as not planned Won't fix, can't repro, duplicate, stale Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:discussion A point of discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @asraa @haydentherapper