[WIP] Add verify command and enable use with CI/CD #34

doodzik · 2021-10-29T04:44:04Z

No description provided.

fix connection to rekor

Use rubygems style guide

Co-authored-by: Frederik Dudzik <5946811+doodzik@users.noreply.github.com>

Sign gem

super terrible `gem verify` implementation

Some refactors

) * define CertChain and CertExtensions * Extract cert code from RekordEntry * remove method_missing stuff from CertExtensions * move issuing certificate retrieval into CertExtensions * move subject_alt_name into CertExtensions

Print all unique emails from valid signature entries

Clean up some of the printed messages

doodzik · 2021-12-09T00:58:30Z

Will do 👍
There are still some things we want to get done before opening it up for review.

add decision log

Fix NoMethodError for `gem verify` on an unsigned gem

Add a `gem signatures` command

add siging_policy

make verify command work in bundler

Delete the `gem sign` and `gem verify` commands

…gnatures Rename `install` command's --verify option to --verify-signatures

Rename install command's --verify option to --verify-signatures

Update the README

Co-authored-by: Jacques Chester <jacques.chester@shopify.com>

When these pre-install hooks are called, Rubygems has already validated that the given package is a valid gem, both locally and remotely. If the file does not exist or is not a valid gemfile, no package exists on the installer at line 32. Plus, Rubygems raises an error. Co-authored-by: Jacques Chester <jacques.chester@shopify.com>

Ruby 3.1 adds net/smtp to default standard library gems. Since we don't have a mailer in this project we need to explicitly not include it. Ref: https://stackoverflow.com/questions/70500220/rails-7-ruby-3-1-loaderror-cannot-load-such-file-net-smtp

If numbers are not quoted, the YAML parser will treat 3.0 as '3' and so the latest version minor version of 3, 3.1 will run instead of sticking with the 3.0.x patch version. Also adds quotes around the other ruby versions for consistency

Validate file is a gem on signature command

…responses Check responses from Fulcio/Rekor POSTs, raise unless expected

Store gem signatures in a hashedrekord

lukehinds · 2024-02-09T08:33:16Z

I guess this is dead now, any more interest in the work @doodzik ?

doodzik and others added 5 commits October 28, 2021 10:44

fix connection to rekor

013e186

Merge pull request #1 from Shopify/fix_connection_to_sigstore

1dcc6ac

fix connection to rekor

add rubocop

a53f3a5

add rubygems rubocop file

a5eb3a5

apply rubocop changes

f64477c

doodzik changed the title ~~[WIP] This PR tracks the work on the plugin done at Shopify~~ [WIP] Add verify command Oct 29, 2021

doodzik and others added 21 commits October 28, 2021 22:15

sign gem

9a09388

Merge pull request #2 from Shopify/use_rubygems_style_guide

cf7fba9

Use rubygems style guide

Restore default SSL peer verification for connections to fulcio (#4)

8a7d2ad

Co-authored-by: Frederik Dudzik <5946811+doodzik@users.noreply.github.com>

push cert chain to rekord

6bb57af

Merge pull request #8 from Shopify/sign_gem

25a4ec2

Sign gem

super terrible gem verify implementation

b8f637a

Merge pull request #11 from Shopify/gem-install--verify

13afc81

super terrible `gem verify` implementation

add gemfile class

3613202

add namespaces

286d05f

move fulcio api calls out of http client

0e0f307

move rekor api out of http

5e945af

add gem signer and verifier classes

195bd1b

misc fixes

ac7728f

various fixes to get sign & verify working

f20d826

Merge pull request #9 from Shopify/refactor

3994ba0

Some refactors

exclude byebug_history from git

193ed4b

print all unique emails from valid signature entries

714cda5

Merge pull request #20 from Shopify/list_all_signer_emails

ce9d0bc

Print all unique emails from valid signature entries

Clean up some of the printed messages

83428c0

Merge pull request #22 from Shopify/improve-output-messaging

7467a4f

Clean up some of the printed messages

doodzik changed the title ~~[WIP] Add verify command~~ [WIP] Add verify command and enable use with CI/CD Nov 18, 2021

rochlefebvre added 2 commits November 18, 2021 16:05

update gitignore, Rakefile and dependencies; remove rspec

bd97622

add rake workflow; temporarily remove verify workflow

e5076ef

rochlefebvre and others added 28 commits December 15, 2021 10:57

Support empty responses in Rekor::Api#where

d5ba747

add decision log

770c03a

Merge pull request #48 from Shopify/create_decision_log

d20d841

add decision log

Merge pull request #45 from Shopify/fix-verify-unsigned-gem

96c1553

Fix NoMethodError for `gem verify` on an unsigned gem

Combine sign and verify into a new signature command

7c00ea3

Merge pull request #51 from Shopify/add-signatures-command

c5869f7

Add a `gem signatures` command

add verify to install command

f9684af

add siging_policy

Merge pull request #50 from Shopify/bundler_verify_command

1ea850b

make verify command work in bundler

Delete gem sign and gem verify

e09fa5a

Rename install command's --verify option to --verify-signatures

0508d64

Merge pull request #53 from Shopify/clean-up-commands

858e7d7

Delete the `gem sign` and `gem verify` commands

Merge pull request #54 from Shopify/rename-verify-option-to-verify-si…

c2eee4c

…gnatures Rename `install` command's --verify option to --verify-signatures

Merge pull request #55 from Shopify/clean-up-commands

3983a41

Rename install command's --verify option to --verify-signatures

Update the README

393af47

Merge pull request #44 from Shopify/update-readme

2ede6a0

Update the README

Validate file is a gem on signatures command

e2eeeac

Co-authored-by: Jacques Chester <jacques.chester@shopify.com>

Fix Ruby 3.1 net/smtp bug

86a64be

Ruby 3.1 adds net/smtp to default standard library gems. Since we don't have a mailer in this project we need to explicitly not include it. Ref: https://stackoverflow.com/questions/70500220/rails-7-ruby-3-1-loaderror-cannot-load-such-file-net-smtp

Add quotes around ruby version numbers

489a1a4

If numbers are not quoted, the YAML parser will treat 3.0 as '3' and so the latest version minor version of 3, 3.1 will run instead of sticking with the 3.0.x patch version. Also adds quotes around the other ruby versions for consistency

Test 3.1

3274d9b

Merge pull request #56 from Shopify/validate_file_gemminess

d157c51

Validate file is a gem on signature command

Fix reference to undefined variable

6c65818

Check responses from Fulcio/Rekor POSTs, raise unless expected

4bc8603

Merge pull request #62 from Shopify/raise-on-unexpected-fulcio-rekor-…

b8621f0

…responses Check responses from Fulcio/Rekor POSTs, raise unless expected

extract Signature module from Rekord

a9a6f90

store signatures in hashedrekord

14c84d9

support verification of hashedrekord signatures

19c0606

Merge pull request #63 from Shopify/use-hashedrekord

1fd5157

Store gem signatures in a hashedrekord

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[WIP] Add verify command and enable use with CI/CD #34

[WIP] Add verify command and enable use with CI/CD #34

doodzik commented Oct 29, 2021 •

edited

doodzik commented Dec 9, 2021 •

edited

lukehinds commented Feb 9, 2024

[WIP] Add verify command and enable use with CI/CD #34

Are you sure you want to change the base?

[WIP] Add verify command and enable use with CI/CD #34

Conversation

doodzik commented Oct 29, 2021 • edited

doodzik commented Dec 9, 2021 • edited

lukehinds commented Feb 9, 2024

doodzik commented Oct 29, 2021 •

edited

doodzik commented Dec 9, 2021 •

edited