Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: fixes #547: add npm sigstore-tuf suport #731

Merged

Conversation

ramonpetgrave64
Copy link
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Jan 10, 2024

Addresses: #547

Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root.

This PR

  • dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.
  • uses an updated (pending) sigstore-go library that allows us to fetch a signed and verified copy of the same key.

@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from c3c9feb to 17e2f5c Compare January 10, 2024 17:32
@ramonpetgrave64 ramonpetgrave64 changed the title Feat: fixes #547: add npm sigstore-tuf suport feat: fixes #547: add npm sigstore-tuf suport Jan 10, 2024
@ramonpetgrave64
Copy link
Contributor Author

@laurentsimon please take a look

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nits, but LGTM. Thank you!

verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
go.mod Outdated
)

// use the pending PR #41 branch tuf-client-2
replace github.com/sigstore/sigstore-go => github.com/sigstore/sigstore-go v0.0.0-20231222133331-d489b534902f
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to you: don't forget to replace before merging

Copy link
Contributor Author

@ramonpetgrave64 ramonpetgrave64 Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's now using an official release of sigstore/[email protected], so I think we're ready to merge @laurentsimon @ianlewis

verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review February 13, 2024 18:25
renovate.json Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf_test.go Outdated Show resolved Hide resolved
@ramonpetgrave64 ramonpetgrave64 marked this pull request as draft April 5, 2024 14:47
@ramonpetgrave64 ramonpetgrave64 deleted the ramonpetgrave64-npm-tuf branch April 8, 2024 15:10
@ramonpetgrave64 ramonpetgrave64 restored the ramonpetgrave64-npm-tuf branch April 8, 2024 15:10
@ramonpetgrave64
Copy link
Contributor Author

I've updated the PR to dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review April 10, 2024 19:05
@ramonpetgrave64 ramonpetgrave64 marked this pull request as draft April 10, 2024 19:31
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from dfc1274 to 7d6ef52 Compare April 10, 2024 19:32
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from 7d6ef52 to 230ea37 Compare April 10, 2024 20:06
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review April 10, 2024 20:25
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@haydentherapper if you have comments let us know

verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm_sigstore_tuf.go Outdated Show resolved Hide resolved
func getKeyDataWithNpmjsKeysTarget(keys *npmjsKeysTarget, keyID, keyUsage string) (string, error) {
for _, key := range keys.Keys {
if key.KeyID == keyID && key.KeyUsage == keyUsage {
return key.PublicKey.RawBytes, nil
Copy link
Contributor

@laurentsimon laurentsimon Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose that's where we should eventually get the TUF validity period and validate against rekor entry. Let's create a tracking issue to do that both here and in Fulcio cert verification (leaf cert period verification and rekor entry timestamp)
/cc @haydentherapper

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, I created the issue to track #757

@laurentsimon
Copy link
Contributor

@ramonpetgrave64 feel free to merge after addressing the few nits. Please create a tracking issue for the TUF verification discussed in #731 (comment). Thanks for the PR!

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64 ramonpetgrave64 enabled auto-merge (squash) April 16, 2024 17:09
@ramonpetgrave64 ramonpetgrave64 merged commit 8c9ed07 into slsa-framework:main Apr 16, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants