Intoto v0.0.2

[pxp928]

Summary

The current implementation of the intoto type within Rekor does not persist the signatures from the wrapping DSSE envelope into the log entry stored by Trillian. This makes it impossible to independently verify the cryptographic validity of the entry without possession of the original DSSE envelope.

Based on the discussion and design doc, it was decided to create a v0.0.2 of the intoto Rekor type with changes from v0.0.1. In addition also persisting multiple public keys and signatures.

Design Doc - https://docs.google.com/document/d/17gB598uEkoxx8j9sDhrvfhuNFHW5BSsWEiMP8POn8xo/edit?resourcekey=0-1H4eG4-4-UQYIEXZgj6AKQ#heading=h.6dq5va2kfzsw

Fixes #582

Release Note

Adds new v0.0.2 for intoto type into rekor for support of DSSE envelope with multi signature and public key

Documentation

[bobcallaway]

Is there a way we can use the DSSE signer/verifier implementation from https://pkg.go.dev/github.com/sigstore/sigstore@v1.4.0/pkg/signature/dsse instead of re-implementing it here?

[pxp928]

Let me look to use this instead.

[pxp928]

Using the implementation provided by sigstore does not provide the functionality in mapping the keys to the valid signature. The sigstore implementation just validates all the signatures with the pub keys but we further do mapping of the keys to sigs to create the log entry. We could create a issue to track this and update sigstore to add this functionality there?

[pxp928]

@bobcallaway Ready for another review.

[codecov-commenter]

Codecov Report

Merging #973 (fd253b5) into main (828f689) will increase coverage by 0.11%.
The diff coverage is 47.85%.

❗ Current head fd253b5 differs from pull request most recent head d855eea. Consider uploading reports for the commit d855eea to get more accurate results

@@            Coverage Diff             @@
##             main     #973      +/-   ##
==========================================
+ Coverage   48.06%   48.17%   +0.11%     
==========================================
  Files          61       62       +1     
  Lines        5413     5741     +328     
==========================================
+ Hits         2602     2766     +164     
- Misses       2528     2676     +148     
- Partials      283      299      +16     

Impacted Files	Coverage Δ
cmd/rekor-cli/app/root.go	20.68% <ø> (ø)
pkg/types/entries.go	6.25% <ø> (ø)
pkg/types/intoto/intoto.go	37.03% <0.00%> (ø)
pkg/types/intoto/v0.0.2/entry.go	43.75% <43.75%> (ø)
cmd/rekor-cli/app/pflag_groups.go	85.91% <76.47%> (-1.29%)	⬇️
cmd/rekor-cli/app/pflags.go	85.29% <85.00%> (-0.04%)	⬇️
pkg/sharding/ranges.go	46.01% <0.00%> (-1.26%)	⬇️
pkg/types/rekord/v0.0.1/entry.go	49.00% <0.00%> (+0.66%)	⬆️
pkg/types/alpine/v0.0.1/entry.go	56.01% <0.00%> (+2.48%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[dlorenc]

Looks like something is up with codegen here....

[bobcallaway]

looks like some of the path names in Makefile.swagger have an extra / in them for some reason.

[pxp928]

Looks like the Makefile is doing unwanted substitution?

@echo "SWAGGER_GEN=`find pkg/generated/client pkg/generated/models/ pkg/generated/restapi/ -iname '*.go' | grep -v 'configure_rekor_server' | sort -d | tr '\n' ' ' | sed 's/ $$//'`" >> Makefile.swagger;

[bobcallaway]

Looks like the Makefile is doing unwanted substitution?

@echo "SWAGGER_GEN=`find pkg/generated/client pkg/generated/models/ pkg/generated/restapi/ -iname '*.go' | grep -v 'configure_rekor_server' | sort -d | tr '\n' ' ' | sed 's/ $$//'`" >> Makefile.swagger;

#984 pushed to fix this

[dlorenc]

Tests seem stuck here.

[dlorenc]

Github is back, you might need to force push/rebase to kick the tests though.

[pxp928]

Updating the tests.

[pxp928]

Any thoughts on why the e2e test fail on [GET /api/v1/log/entries/{entryUUID}][404] getLogEntryByUuidNotFound. The entry seems to get created successfully.

[priyawadhwa]

Any thoughts on why the e2e test fail on [GET /api/v1/log/entries/{entryUUID}][404] getLogEntryByUuidNotFound. The entry seems to get created successfully.

I ran it locally and got this error:

    e2e_test.go:527: [POST /api/v1/log/entries][400] createLogEntryBadRequest  &{Code:400 Message:Error processing entry: intoto implementation for version '0.0.1' not found: unable to locate entry for version 0.0.1}

probably related to this comment https://github.com/sigstore/rekor/pull/973/files#r948283591

[pxp928]

Any thoughts on why the e2e test fail on [GET /api/v1/log/entries/{entryUUID}][404] getLogEntryByUuidNotFound. The entry seems to get created successfully.

I ran it locally and got this error:

    e2e_test.go:527: [POST /api/v1/log/entries][400] createLogEntryBadRequest  &{Code:400 Message:Error processing entry: intoto implementation for version '0.0.1' not found: unable to locate entry for version 0.0.1}

probably related to this comment https://github.com/sigstore/rekor/pull/973/files#r948283591

Still getting the same error on the e2e test: [GET /api/v1/log/entries/{entryUUID}][404] getLogEntryByUuidNotFound. Did some testing and it looks like the entry does get created. When I run it twice, it does say an entry is present already.

[asraa]

Thanks! This may be a very late drive-by on the schema: but I have a major question about the schema's payload and payloadHash

[asraa]

nit: for simplicity just use if len(props.PublicKeyPath) != 1? then no need for the second if clause

[pxp928]

done.

[asraa]

again, could consolidate the >1 and ==1 check

[pxp928]

done

[asraa]

should there be a warning when more than one public key byte files are provided?

[pxp928]

yup will add.

[dlorenc]

Everything is passing! Is this on track to merge this week @bobcallaway?

[bobcallaway]

Everything is passing! Is this on track to merge this week @bobcallaway?

@pxp928 and I are debugging hopefully the final issue before merge now

[bobcallaway]

LGTM, thanks for the hard work!

[priyawadhwa]

nice!!

[dlorenc]

YESSS!