dsse type

[mikhailswift]

Summary

Adds a DSSE type that validated each signature on the envelope. If the payload is an in-toto statement all in-toto subjects will be indexed. The hash of the payload, PAE encoded payload, and public keys are also indexed.

I've tested this locally and it works but I need to write tests and add it to the e2e test script yet. I'm opening this draft for discussion and input.

Ticket Link

Fixes #582

Release Note

[bobcallaway]

looking good so far, a couple minor things.

Does it make sense to move any of the verifier logic into sigstore/sigstore for reuse?

[bobcallaway]

Suggested change

	return nil, errors.New("cannot unmarshal non-Rekord types")
	return nil, errors.New("cannot unmarshal non-DSSE types")

[bobcallaway]

Suggested change

	_, err := verifyEnvelope(allPubKeyBytes, env)
	if err != nil {
	return fmt.Errorf("could not verify envelope: %w", err)
	}
	if _, err := verifyEnvelope(allPubKeyBytes, env); err != nil {
	return fmt.Errorf("could not verify envelope: %w", err)
	}

[dlorenc]

Thanks for the PR and much needed cleanup!

[mikhailswift]

Sorry for the delay in getting this finished up -- lost power over the weekend. I'm going to try and get this cleaned up and a full PR up today.

[pxp928]

@mikhailswift I just ran into this issue recently. Do you need any help pushing this over the finish line?

[codecov-commenter]

Codecov Report

Merging #596 (85d1a9e) into main (547eb3c) will increase coverage by 0.00%.
The diff coverage is 37.03%.

@@           Coverage Diff           @@
##             main     #596   +/-   ##
=======================================
  Coverage   46.56%   46.57%           
=======================================
  Files          60       61    +1     
  Lines        5094     5121   +27     
=======================================
+ Hits         2372     2385   +13     
- Misses       2447     2460   +13     
- Partials      275      276    +1     

Impacted Files	Coverage Δ
cmd/rekor-cli/app/root.go	20.68% <ø> (ø)
pkg/types/entries.go	6.25% <ø> (ø)
pkg/types/dsse/dsse.go	37.03% <37.03%> (ø)
pkg/types/alpine/v0.0.1/entry.go	56.25% <0.00%> (+1.25%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 547eb3c...85d1a9e. Read the comment docs.

[dlorenc]

A few comments.

[dlorenc]

I might be misunderstanding this, but it looks like the props.PublicKeyBytes will get appended twice. Is that intentional?

[mikhailswift]

PublicKeyBytes vs PublicKeysBytes

Part of the discussion on the issue was how to handle passing multiple public keys for cases where we would want to validate multiple signatures on the envelope. To handle this a new prop called PublicKeysBytes was added to handle that case. It's not a very nice solution though, so definitely open to alternatives here.

[bobcallaway]

A few comments/questions inline; I think we should also update pkg/types/README.md with some info about this type and how it explicitly differs from intoto.

[bobcallaway]

is the hash algorithm always going to be SHA256 for this?

[mikhailswift]

While not part of the DSSE spec it seems that all current users of DSSE default to using SHA256 during signing.

[dlorenc]

This can get closed out now!

[jmeth]

Sorry to comment on a closed PR but it seems like this was closed but never merged in to main. Was that the intention here?

[pxp928]

Sorry to comment on a closed PR but it seems like this was closed but never merged in to main. Was that the intention here?

@jmeth All the changes here were incorporated in another PR #973