Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: handle dssev001 tlog entry types #799

Merged
merged 8 commits into from
Aug 24, 2024
Merged

feat: handle dssev001 tlog entry types #799

merged 8 commits into from
Aug 24, 2024

Conversation

ramonpetgrave64
Copy link
Contributor

re: slsa-framework/slsa-github-generator#3750

Rekor TLog entries can now be of the type dsse v0.0.1, as when what's returned when using sigstore-go's Bundle().

This is to support eventual Sigstore Bundles produced by slsa-github-generator's "generic" generator, which will likely use sigstore-go's Bundle to produce attestations

Tesing

Followup

Finish the work to produce bundles from the generic generators

@ramonpetgrave64
handle dssev001 tlog entry types
bc65aed 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
lint
552e674 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
ramonpetgrave64
ramonpetgrave64 commented Aug 13, 2024
View reviewed changes
verifiers/internal/gha/bundle.go
len(env.Signatures),
len(dsseSchemaObj.Signatures))
}
// TODO(#487): verify the certs match.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copied from the original method. Not all envelopes will have certificates, so that implementation would be opportunistic.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reuse

slsa-verifier/verifiers/internal/gha/rekor.go

Line 146 in 1694bbf

func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) {
to do this comparison?
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review August 13, 2024 18:54
@ramonpetgrave64 ramonpetgrave64 requested a review from a team as a code owner August 13, 2024 18:54
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Aug 14, 2024
Open
5 tasks
loosebazooka
loosebazooka reviewed Aug 15, 2024
View reviewed changes
Copy link

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor things

verifiers/internal/gha/bundle.go Outdated Show resolved Hide resolved
verifiers/internal/gha/bundle.go Outdated Show resolved Hide resolved
verifiers/internal/gha/bundle.go Show resolved Hide resolved
verifiers/internal/gha/bundle.go Outdated Show resolved Hide resolved
ramonpetgrave64 and others added 5 commits August 15, 2024 20:55
@ramonpetgrave64
use slices.ContainsFunc
fa295ff 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
better errors
a7406db 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
typo
e1f66fb 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into ramonpetgrave64-tlog-dssev001
5e8b020
@ramonpetgrave64
typo
e1d972c 
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
loosebazooka
loosebazooka approved these changes Aug 20, 2024
View reviewed changes
Copy link

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Dunno if you want a more "go-y" person to do a review too

@ramonpetgrave64
Copy link
Contributor Author

@cmurphy, please take a look

haydentherapper
haydentherapper approved these changes Aug 22, 2024
View reviewed changes
verifiers/internal/gha/bundle.go
len(env.Signatures),
len(dsseSchemaObj.Signatures))
}
// TODO(#487): verify the certs match.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reuse

slsa-verifier/verifiers/internal/gha/rekor.go

Line 146 in 1694bbf

func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) {
to do this comparison?
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.

@ramonpetgrave64
Copy link
Contributor Author

@haydentherapper We can't yet because for the older attestations produce by slsa-github-generator, the certificate was not embedded within the envelope.

But that seems like another good reason for #487

@ramonpetgrave64 ramonpetgrave64 enabled auto-merge (squash) August 24, 2024 03:16
@ramonpetgrave64 ramonpetgrave64 merged commit 767ecf9 into main Aug 24, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramonpetgrave64 @loosebazooka @haydentherapper