Offline validation of attestations from GitHub's private attestation service

[grahamc]

Hi,

I'm wanting to validate the attestations provided by GitHub for artifacts built in a private repository. I would like to do this validation as part of a Rust program.

I came across actions/attest-build-provenance#162, and some merged PRs to this repo that seemed to be making progress towards making this possible in Rust.

I'm curious about the status of validating these new bundle formats, and the gap between sigstore-rs and being able to do this within a Rust program. And, if it is a "good-first-issue" type of task, I'd be happy to help.

Thank you!

[wolfv]

We're actually also interested in this!

[wolfv]

My understanding is that this is basically #280

[tnytown]

My understanding is that this is basically #280

Correct! That's the issue we're using to track it. In terms of validation, we're currently able to:

• Handle bundles up to version 0.2 (not 0.3, which the GitHub infrastructure might produce)
• Online signature verification against the Public Good Instance
• SCT verification

What remains to be done:

• Explicit support for offline verification. You may be able to hack this in by constructing Verifier with a ManualTrustRoot, but the API has a few sharp edges.
• Inclusion proof verification. This is Merkle tree proof implementation #285
• Verification against a custom trust root. You'll need this for validating against the GitHub instance. There's a preliminary API surface for this in Conformance suite feature parity #354 that should accept the trustroot format emitted by gh attestation trusted-root.
• Parity to sigstore-conformance. The current verifier is not safe for use in a production context and may accept bundles that are invalid or reject bundles that are valid. This is being tracked at Conformance suite feature parity #354.

I'm not actively working on this (funding ran out), but I'm happy to answer questions if anybody would like to pick this work up!

[wolfv]

@tnytown thank you for the reply! This is very informative.

I have tested to load a v0.3 generated attestation (by Github) yesterday. Verification failed at DSSE not implemented yet. Is it correct that this part should be not too hard (ie. could it be a good first issue to get the feet wet?). I assume it would be easiest to look at the Python implementation as a reference?

Cheers!

[tnytown]

Oh, I forgot to mention DSSE! DSSE would be a big part of the work in verifying attestations. IIRC DSSE is a pretty recent addition to sigstore-python (sigstore/sigstore-python#628).

I can't speak to the difficulty of implementing DSSE as I'm not too familiar with it, but it's an entirely new signature format and there was a good amount of churn in sigstore-python around its implementation, so I'm anticipating that it would be a good amount of work.

The sigstore-rs bundle APIs are heavily inspired by sigstore-python, so if you'd like to take a stab at it that would indeed be a good place to start!