Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor bundle validation code, add support for DSSE rekor type #3016

Merged
merged 7 commits into from
Jun 15, 2023
Merged

refactor bundle validation code, add support for DSSE rekor type #3016

merged 7 commits into from
Jun 15, 2023

Conversation

bobcallaway
Copy link
Member

Summary

This refactors the bundle verification code to only parse entry JSON once, and use reflection to determine the appropriate way to extract the Rekor-type specific information.

Also adds support for the newly added DSSE type in Rekor (currently only deployed to staging, not production). I will propose a new PR to switch over the default behavior to use dsse instead of intoto Rekor type once this goes live into production.

Release Note

NONE

Documentation

@bobcallaway
refactor bundle validation code, add support for DSSE rekor type
857ca58 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
Merge remote-tracking branch 'upstream/main' into add_dsse_type
978431d 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@codecov
Copy link

codecov bot commented May 30, 2023
edited
Loading

Codecov Report

Merging #3016 (eb62e59) into main (80c0f88) will decrease coverage by 0.07%.
The diff coverage is 21.91%.

@@            Coverage Diff             @@
##             main    #3016      +/-   ##
==========================================
- Coverage   31.06%   31.00%   -0.07%     
==========================================
  Files         155      155              
  Lines        9744     9712      -32     
==========================================
- Hits         3027     3011      -16     
+ Misses       6255     6250       -5     
+ Partials      462      451      -11
Impacted Files Coverage Δ
pkg/cosign/tlog.go 37.13% <0.00%> (-2.07%) ⬇️
pkg/cosign/verify.go 37.51% <29.09%> (+0.28%) ⬆️

haydentherapper
haydentherapper reviewed May 31, 2023
View reviewed changes
cmd/cosign/cli/verify/verify_blob_test.go Outdated Show resolved Hide resolved
pkg/cosign/tlog.go Outdated Show resolved Hide resolved
pkg/cosign/verify.go Outdated Show resolved Hide resolved
pkg/cosign/verify.go
case *rekord_v001.V001Entry:
return entry.RekordObj.Signature.Content.String(), nil
default:
return "", errors.New("unsupported type")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about intoto types? I see we didn't try to extract signatures previously, but isn't that a gap?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in compareSigs if an actual attestation is stored in OCI, the signature from the DSSE envelope is not stored as a separate file (as it would be with other types) so the verification is done elsewhere.

@bobcallaway
address comments
f47435a 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
Merge remote-tracking branch 'upstream/main' into add_dsse_type
8d3a17e 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@cpanato
Copy link
Member

cpanato commented Jun 6, 2023

needs rebase

@haydentherapper
Copy link
Contributor

LGTM to me, just one comment on a test. @bobcallaway do you want to also update this PR to switch the default type to dsse too since the Rekor update is now in prod?

@bobcallaway
Merge remote-tracking branch 'upstream/main' into add_dsse_type
2dca3c8 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
remove duplicated test
e4463e5 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@haydentherapper
Copy link
Contributor

@bobcallaway is this ready to go?

@cpanato
Copy link
Member

cpanato commented Jun 15, 2023

@haydentherapper @bobcallaway, after this can we cut a release?

hectorj2f
hectorj2f previously approved these changes Jun 15, 2023
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cpanato
Copy link
Member

cpanato commented Jun 15, 2023

@bobcallaway need rebase

@bobcallaway
Merge remote-tracking branch 'upstream/main' into add_dsse_type
eb62e59 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway bobcallaway enabled auto-merge (squash) June 15, 2023 18:25
@bobcallaway bobcallaway merged commit 7739f5f into sigstore:main Jun 15, 2023
@github-actions github-actions bot added this to the v1.14.0 milestone Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@hectorj2f hectorj2f hectorj2f left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.14.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bobcallaway @cpanato @haydentherapper @hectorj2f