Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: adds envelope hash to in-toto entries in tlog entry creation #2118

Merged
merged 16 commits into from Aug 14, 2022
Merged

fix: adds envelope hash to in-toto entries in tlog entry creation #2118

Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
55a167c
bufix resoled
nkreiger Aug 2, 2022
9963b76
clean up unused
nkreiger Aug 2, 2022
9af85b4
needs to be upgraded
nkreiger Aug 2, 2022
8d5f300
rm test file
nkreiger Aug 2, 2022
f019a63
clean up for comments
nkreiger Aug 2, 2022
44f884d
accidentally added test
nkreiger Aug 2, 2022
8a3cffb
force rebase
nkreiger Aug 3, 2022
da3fce5
sync back to main branch
nkreiger Aug 5, 2022
076a6b4
fix linting issue
nkreiger Aug 5, 2022
b86723e
merge go.sum
nkreiger Aug 5, 2022
07caaef
address proposed change, sync to main
nkreiger Aug 12, 2022
ffc816d
deleted image
nkreiger Aug 12, 2022
371bdee
restore gif
nkreiger Aug 12, 2022
415ba9d
see if this fixes the build issue
nkreiger Aug 13, 2022
32285ae
Merge branch 'main' of github.com:sigstore/cosign
nkreiger Aug 14, 2022
a1b8b7b
merge in main branch with release utils changes
nkreiger Aug 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
37 changes: 15 additions & 22 deletions pkg/cosign/tlog.go
View file
Open in desktop
Expand Up @@ -25,6 +25,7 @@ import (
"encoding/hex"
"errors"
"fmt"
"github.com/sigstore/rekor/pkg/types"
"os"
"strings"

Expand All @@ -39,7 +40,6 @@ import (
"github.com/sigstore/rekor/pkg/generated/client/index"
"github.com/sigstore/rekor/pkg/generated/models"
hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
intoto_v001 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
"github.com/sigstore/sigstore/pkg/tuf"
)

Expand Down Expand Up @@ -164,12 +164,15 @@ func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, paylo

// TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error) {
e := intotoEntry(signature, pemBytes)
returnVal := models.Intoto{
APIVersion: swag.String(e.APIVersion()),
Spec: e.IntotoObj,
e, err := types.NewProposedEntry(context.Background(), "intoto", "0.0.1", types.ArtifactProperties{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn’t you use the context from the input argument as it ? It sounds like a better option to me.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I don’t feel hardcoding the intoto version as text is an improvement. Perhaps that is something to get from the api type.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hectorj2f correct sorry I addressed the comments by isolating it to the specific intoto function, and allowing it to propagate the default version...maybe we want to keep it a specific version though to reduce the risk of dependency changes?

ArtifactBytes: signature,
PublicKeyBytes: pemBytes,
})
if err != nil {
return nil, err
}
return doUpload(ctx, rekorClient, &returnVal)

return doUpload(ctx, rekorClient, e)
}

func doUpload(ctx context.Context, rekorClient *client.Rekor, pe models.ProposedEntry) (*models.LogEntryAnon, error) {
Expand Down Expand Up @@ -199,18 +202,6 @@ func doUpload(ctx context.Context, rekorClient *client.Rekor, pe models.Proposed
return nil, errors.New("bad response from server")
}

func intotoEntry(signature, pubKey []byte) intoto_v001.V001Entry {
pub := strfmt.Base64(pubKey)
return intoto_v001.V001Entry{
IntotoObj: models.IntotoV001Schema{
Content: &models.IntotoV001SchemaContent{
Envelope: string(signature),
},
PublicKey: &pub,
},
}
}

func rekorEntry(payload, signature, pubKey []byte) hashedrekord_v001.V001Entry {
// TODO: Signatures created on a digest using a hash algorithm other than SHA256 will fail
// upload right now. Plumb information on the hash algorithm used when signing from the
Expand Down Expand Up @@ -286,10 +277,12 @@ func proposedEntry(b64Sig string, payload, pubKey []byte) ([]models.ProposedEntr
// The fact that there's no signature (or empty rather), implies
// that this is an Attestation that we're verifying.
if len(signature) == 0 {
te := intotoEntry(payload, pubKey)
entry := &models.Intoto{
APIVersion: swag.String(te.APIVersion()),
Spec: te.IntotoObj,
entry, err := types.NewProposedEntry(context.Background(), "intoto", "0.0.1", types.ArtifactProperties{
ArtifactBytes: signature,
PublicKeyBytes: pubKey,
})
if err != nil {
return nil, err
}
proposedEntry = []models.ProposedEntry{entry}
} else {
Expand Down