-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: handle dssev001 tlog entry types #799
Conversation
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
len(env.Signatures), | ||
len(dsseSchemaObj.Signatures)) | ||
} | ||
// TODO(#487): verify the certs match. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copied from the original method. Not all envelopes will have certificates, so that implementation would be opportunistic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we reuse
slsa-verifier/verifiers/internal/gha/rekor.go
Line 146 in 1694bbf
func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) { |
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some minor things
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Dunno if you want a more "go-y" person to do a review too
@cmurphy, please take a look |
len(env.Signatures), | ||
len(dsseSchemaObj.Signatures)) | ||
} | ||
// TODO(#487): verify the certs match. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we reuse
slsa-verifier/verifiers/internal/gha/rekor.go
Line 146 in 1694bbf
func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) { |
It's best practice to compare the canonicalized entry for Rekor to what you have (e.g the artifact hash, certificate, and signature, or computing the leaf hash yourself and comparing), since there is a risk of someone swapping out an inclusion proof that is valid but for the wrong entry. Of course, the chance of two signatures being the same is very low, so there isn't really a threat here.
@haydentherapper We can't yet because for the older attestations produce by slsa-github-generator, the certificate was not embedded within the envelope. But that seems like another good reason for #487 |
…orkflows (#3777) # Summary fixes #3750 pending slsa-framework/slsa-verifier#799 Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows. ## Testing Process Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches. - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10425271660 ## Followup [ ] Produce the provenance in v1 format, rather than the current v0.2 format. [ ] fix initialism of `[build]invocationID` to `[build]invocationId` #3876 ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Mend Renovate <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
re: slsa-framework/slsa-github-generator#3750
Rekor TLog entries can now be of the type dsse v0.0.1, as when what's returned when using sigstore-go's
Bundle()
.This is to support eventual Sigstore Bundles produced by slsa-github-generator's "generic" generator, which will likely use sigstore-go's Bundle to produce attestations
Tesing
Followup
Finish the work to produce bundles from the generic generators