Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add dsse type #1487

Merged
merged 16 commits into from
May 24, 2023
Merged

add dsse type #1487

merged 16 commits into from
May 24, 2023

Conversation

bobcallaway
Copy link
Member

@bobcallaway bobcallaway commented May 12, 2023
edited
Loading

Summary

This adds a new pluggable type dsse, which adds entries for DSSE JSON documents which are often used with in-toto attestations. There are a few significant differences between this dsse type and the already existing intoto types:

  • The JSON schema more clearly separates the proposed entry from what is persisted to simplify client expectations
  • The DSSE envelope is provided as a JSON string, rather than double-encoding values in base64
  • The DSSE envelope is not stored by Rekor; this is to set the client expectation that attestation storage in Rekor should not be relied upon for attestation discovery.

Release Note

  • Adds a new entry type dsse which persisted information about DSSE envelopes without storing the envelope in Rekor

Documentation

  • Add docs on type to docs.sigstore.dev

@bobcallaway
initial dsse type code
1f5e3eb 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
add minimal e2e test
2fb8f3a 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
remove duplicate dsse adapter
10cea6d 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
Merge remote-tracking branch 'upstream/main' into dsse_type
87d9141 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
Merge remote-tracking branch 'upstream/main' into dsse_type
d42ab06 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
add Insertable method and tests
e2c1663 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
expand upload tests
e0f9be1 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
go mod tidy
a85cde9 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@codecov
Copy link

codecov bot commented May 12, 2023
edited
Loading

Codecov Report

Merging #1487 (8ecef3c) into main (43be4d8) will increase coverage by 0.53%.
The diff coverage is 75.49%.

@@            Coverage Diff             @@
##             main    #1487      +/-   ##
==========================================
+ Coverage   66.48%   67.01%   +0.53%     
==========================================
  Files          80       82       +2     
  Lines        8023     8325     +302     
==========================================
+ Hits         5334     5579     +245     
- Misses       2038     2077      +39     
- Partials      651      669      +18
Flag Coverage Δ
e2etests 48.50% <61.58%> (+0.66%) ⬆️
unittests 47.50% <62.79%> (+0.68%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cmd/rekor-cli/app/root.go 66.66% <ø> (ø)
pkg/types/dsse/v0.0.1/entry.go 72.99% <72.99%> (ø)
cmd/rekor-server/app/serve.go 84.81% <100.00%> (+0.19%) ⬆️
pkg/types/dsse/dsse.go 100.00% <100.00%> (ø)

... and 5 files with indirect coverage changes

cpanato
cpanato previously approved these changes May 13, 2023
View reviewed changes
@bobcallaway
Merge remote-tracking branch 'upstream/main' into dsse_type
6340999 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
add more e2e tests
c7664fa 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
add fuzzing coverage
1cb8ea1 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@AdamKorcz
Copy link
Contributor

Fuzzing-part looks good!

haydentherapper
haydentherapper reviewed May 22, 2023
View reviewed changes
pkg/types/dsse/README.md Outdated Show resolved Hide resolved
pkg/types/dsse/v0.0.1/dsse_v0_0_1_schema.json Outdated Show resolved Hide resolved
pkg/types/dsse/v0.0.1/dsse_v0_0_1_schema.json Outdated Show resolved Hide resolved
pkg/types/dsse/v0.0.1/dsse_v0_0_1_schema.json Outdated Show resolved Hide resolved
pkg/types/dsse/v0.0.1/entry.go Show resolved Hide resolved
pkg/types/dsse/v0.0.1/entry.go Show resolved Hide resolved
pkg/types/dsse/v0.0.1/entry.go Show resolved Hide resolved
pkg/types/dsse/v0.0.1/entry.go Outdated Show resolved Hide resolved
pkg/types/dsse/v0.0.1/e2e_test.go Show resolved Hide resolved
pkg/types/dsse/v0.0.1/entry_test.go Show resolved Hide resolved
@bobcallaway
change publicKeys to verifiers
ca365cb 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
update comment and docs
2496d11 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway bobcallaway marked this pull request as ready for review May 23, 2023 11:35
@bobcallaway bobcallaway requested a review from a team as a code owner May 23, 2023 11:35
@bobcallaway bobcallaway requested a review from bdehamer May 23, 2023 11:38
@bobcallaway
add test for IndexKeys() in fuzzer
3be32ea 
Signed-off-by: Bob Callaway <bcallaway@google.com>
bdehamer
bdehamer previously approved these changes May 23, 2023
View reviewed changes
Copy link

@bdehamer bdehamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this. Looking forward to using this in place of the intoto type!

codysoyland
codysoyland previously approved these changes May 23, 2023
View reviewed changes
Copy link
Member

@codysoyland codysoyland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff, thank @bobcallaway! 🎉

@bobcallaway
s/publicKey/verifier
6f2041d 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@bobcallaway
Merge branch 'main' into dsse_type
8ecef3c 
Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway bobcallaway merged commit 35c4489 into sigstore:main May 24, 2023
@github-actions github-actions bot added this to the v1.1.0 milestone May 24, 2023
This was referenced May 29, 2023
Open
Merged
Merged
@bdehamer bdehamer mentioned this pull request May 10, 2024
Closed
@jul-sh
Copy link

jul-sh commented May 11, 2024

The DSSE envelope is not stored by Rekor; this is to set the client expectation that attestation storage in Rekor should not be relied upon for attestation discovery.

@bobcallaway to confirm, is this the desired expectation for for all rekor entries or specific to the DSSE type?

Rekor's search functionality, as well as its UI for viewing in-toto SLSA provenances positioned it as a useful tool for attestation discovery.

@bdehamer bdehamer mentioned this pull request Jul 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@codysoyland codysoyland codysoyland left review comments

@bdehamer bdehamer bdehamer left review comments

@cpanato cpanato cpanato left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
7 participants
@bobcallaway @AdamKorcz @jul-sh @codysoyland @bdehamer @cpanato @haydentherapper