feat: handle dssev001 tlog entry types #799
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
ramonpetgrave64
commented
Aug 13, 2024
| len(env.Signatures), | ||
| len(dsseSchemaObj.Signatures)) | ||
| } | ||
| // TODO(#487): verify the certs match. |
There was a problem hiding this comment.
Copied from the original method. Not all envelopes will have certificates, so that implementation would be opportunistic.
There was a problem hiding this comment.
Can we reuse
slsa-verifier/verifiers/internal/gha/rekor.go
Line 146 in 1694bbf
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.
5 tasks
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
loosebazooka
approved these changes
Aug 20, 2024
|
@cmurphy, please take a look |
haydentherapper
approved these changes
Aug 22, 2024
| len(env.Signatures), | ||
| len(dsseSchemaObj.Signatures)) | ||
| } | ||
| // TODO(#487): verify the certs match. |
There was a problem hiding this comment.
Can we reuse
slsa-verifier/verifiers/internal/gha/rekor.go
Line 146 in 1694bbf
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.
|
@haydentherapper We can't yet because for the older attestations produce by slsa-github-generator, the certificate was not embedded within the envelope. But that seems like another good reason for #487 |
ramonpetgrave64
added a commit
to slsa-framework/slsa-github-generator
that referenced
this pull request
Oct 24, 2024
…orkflows (#3777) # Summary fixes #3750 pending slsa-framework/slsa-verifier#799 Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows. ## Testing Process Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches. - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10425271660 ## Followup [ ] Produce the provenance in v1 format, rather than the current v0.2 format. [ ] fix initialism of `[build]invocationID` to `[build]invocationId` #3876 ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
re: slsa-framework/slsa-github-generator#3750
Rekor TLog entries can now be of the type dsse v0.0.1, as when what's returned when using sigstore-go's
Bundle().This is to support eventual Sigstore Bundles produced by slsa-github-generator's "generic" generator, which will likely use sigstore-go's Bundle to produce attestations
Tesing
Followup
Finish the work to produce bundles from the generic generators