Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add index to hashed intoto envelope #761

Merged
merged 2 commits into from
Apr 8, 2022
Merged

Add index to hashed intoto envelope #761

merged 2 commits into from
Apr 8, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Apr 7, 2022
edited

Signed-off-by: Asra Ali asraa@google.com

Summary

Ticket Link

Related #646

This allows searching for a rekor entry by the signed envelope hash. E.g. if a user has provenance.intoto.jsonl, then currently we can't search for that provenance unless we take the hash of the payload or Subject.Digest's. This way cosign will also verify-blob the hard way by searching for the artifact file hash.

The hash is the same as the hash in the rekor entry:

"Body": {
    "IntotoObj": {
      "content": {
        "hash": {
          "algorithm": "sha256",
          "value": "d05ff19cea34cd451c0a3133dc44d933e706fa00a910192f28b8dbe43d373020"
        }
      },
      "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQXNHZ0F3SUJBZ0lUSWl6UUNLQmJGODNkU2YvYjhEdklVWUhsZ2pBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeQpNRFF3TkRFMU1qVXdNVm9YRFRJeU1EUXdOREUxTXpVd01Gb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQkJTbHNOVWZDcmtKZGh3U3lnOWc3T3c4dStpSEx5L1hFNXpCbTl2czVSZmlkbk53UGg2dVlHeUUKeDdOa2V2UVZIZHJNR0lnYzFsd2NDeFZxN3c1UDllK2pnZ0h1TUlJQjZqQU9CZ05WSFE4QkFmOEVCQU1DQjRBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd013REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVlalJiCmRvbXZteTZSbEMyK0IreXdpbmlPTHpVd0h3WURWUjBqQkJnd0ZvQVVXTUFlWDVGRnBXYXBlc3lRb1pNaTBDckYKeGZvd2RnWURWUjBSQVFIL0JHd3dhb1pvYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDNOc2MyRXRabkpoYldWMwpiM0pyTDNOc2MyRXRaMmwwYUhWaUxXZGxibVZ5WVhSdmNpMW5ieTh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTlpCmRXbHNaR1Z5TG5sdGJFQnlaV1p6TDJobFlXUnpMMjFoYVc0d0h3WUtLd1lCQkFHRHZ6QUJBZ1FSZDI5eWEyWnMKYjNkZlpHbHpjR0YwWTJnd0xnWUtLd1lCQkFHRHZ6QUJCUVFnYkdGMWNtVnVkSE5wYlc5dUwzTnNjMkV0YjI0dApaMmwwYUhWaUxYUmxjM1F3R2dZS0t3WUJCQUdEdnpBQkJBUU1VMHhUUVNCU1pXeGxZWE5sTURrR0Npc0dBUVFCCmc3OHdBUUVFSzJoMGRIQnpPaTh2ZEc5clpXNHVZV04wYVc5dWN5NW5hWFJvZFdKMWMyVnlZMjl1ZEdWdWRDNWoKYjIwd05nWUtLd1lCQkFHRHZ6QUJBd1FvWkRObVpEazBPREpsTmpoa01qYzJaVFk1WXpCaE9HSXpaamRsWVdGaQpZak5pT1dVMU5qWTVOVEFkQmdvckJnRUVBWU8vTUFFR0JBOXlaV1p6TDJobFlXUnpMMjFoYVc0d0NnWUlLb1pJCnpqMEVBd01EYVFBd1pnSXhBSndFd0lTUk1FOW10SjAzamR6ZUFMYUdaUmNSckJmaTU4bUVFNHlCaXAvSkFPTGMKd1lPamQ0a09YNjJ4ejJqaXh3SXhBSUVEWGxsTFhhY3BZSFF6eWJzQU9IUTlkblFLWDFUdlJOZkZLN1lIM2ZxVgo0TEpQazloQUJ5Qkh1dE1KVGFJb3N3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
    }

Release Note

@asraa
Add index to intoto entry
de65048 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa asraa requested a review from bobcallaway as a code owner April 7, 2022 18:20
@codecov-commenter
Copy link

Codecov Report

Merging #761 (de65048) into main (3de8b60) will decrease coverage by 0.10%.
The diff coverage is 37.50%.

@@            Coverage Diff             @@
##             main     #761      +/-   ##
==========================================
- Coverage   49.15%   49.04%   -0.11%     
==========================================
  Files          61       61              
  Lines        5566     5574       +8     
==========================================
- Hits         2736     2734       -2     
- Misses       2536     2545       +9     
- Partials      294      295       +1
Impacted Files Coverage Δ
pkg/types/intoto/v0.0.1/entry.go 35.51% <37.50%> (+0.09%) ⬆️
pkg/types/helm/v0.0.1/entry.go 52.41% <0.00%> (-1.21%) ⬇️
pkg/types/alpine/v0.0.1/entry.go 61.24% <0.00%> (-0.78%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3de8b60...de65048. Read the comment docs.

@asraa
fix tests
c115a32 
Signed-off-by: Asra Ali <asraa@google.com>
@dlorenc dlorenc merged commit 4dabcda into sigstore:main Apr 8, 2022
@github-actions github-actions bot added this to the v1.0.0 milestone Apr 8, 2022
@asraa asraa mentioned this pull request Sep 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.6.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@asraa @codecov-commenter @bobcallaway @dlorenc