Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify text provenance for GCB #242

Merged
merged 8 commits into from
Aug 30, 2022
Merged

Verify text provenance for GCB #242

merged 8 commits into from
Aug 30, 2022

Conversation

laurentsimon
Copy link
Contributor

GCB has an additional text human-readable version of the DSSE payload. This PR verifiers that it matches the verified DSSE payload.

laurentsimon
laurentsimon commented Aug 30, 2022
View reviewed changes
verifiers/internal/gcb/provenance_test.go
@@ -0,0 +1,684 @@
package gcb

import (
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some reason this file was not committed but should have in a previous PR.

laurentsimon
laurentsimon commented Aug 30, 2022
View reviewed changes
verifiers/internal/gcb/provenance_test.go
}
}

func Test_VerifyTextProvenance(t *testing.T) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the additional test for this PR.

asraa
asraa approved these changes Aug 30, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

verifiers/internal/gcb/provenance.go
// The GCB provenance contains a human-readable version of the intoto
// statement, but it is not compliant with the standard. It uses `slsaProvenance`
// instead of `predicate`. For backward compatibility, this has not been fixed
// by the GCB team.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the note! was confused about why not use an intotostatement

verifiers/internal/gcb/provenance_test.go Outdated Show resolved Hide resolved
@laurentsimon laurentsimon enabled auto-merge (squash) August 30, 2022 22:30
@laurentsimon laurentsimon merged commit 26c928f into slsa-framework:main Aug 30, 2022
@laurentsimon laurentsimon mentioned this pull request Sep 1, 2022
Open
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@ianlewis ianlewis Awaiting requested review from ianlewis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laurentsimon @asraa