New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LinkAttestor for in-toto Attestation Framework Link Predicate #288
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adityasaky One thing I should mention with this change. I wasn't certain what naming convention to use here for the file dump, so kept the link style that's defined in the in-toto v1 specification. However, I can see the desire to use a different naming convention, especially if multiple predicates are generated for a single step. I assume that multiple envelopes that would be combined into a bundle if there are multiple predicates for a step. Though, I think that witness handles this with multiple predicates within a predicate. |
Nice! I need to look into how this will interact with the work I'm doing over in #268 . Hoping not to duplicate work in either case. EDIT: I wrote this not having fully internalized how the I'm also not entirely sure we need to duplicate |
I'll take a look at that PR. Originally I did have the functionality within the in-toto run command, but didn't like the idea of mixing it in there. I wanted to support not using link predicate as well, though perhaps not needed. |
Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> remove slice package Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> Add attestation flag Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> Fix link predicate version. Cleanup statement pointer Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> fix tests, use latest predicate type string Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> switch to pointer receiver Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> switch sign statement to private Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> switch to using make for products and materials Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com> fix link attestor test Signed-off-by: Adam Nauth <Forrin@users.noreply.github.com>
This change adds a "LinkAttestor" which is able to create in-toto Attestation compliant metadata for a link predicate.
I experimented with a variety of ways to implement this, but chose to add an Attestor type over updating the InTotoRun function to include this capability (like how --use-dsse is implemented).
This is added with the thought that additional attestation predicate types may be supported in the future. In addition, I assume that we may not want to use DSSE for all signing operations (thus support creating an unsigned statement).
This won't work with layouts as there isn't a layout structure for the Attestation framework yet, I believe.
The Attestor code can easily be moved into its own package if desired. I'm not certain what other Attestors, if any, should be supported, but this can probably be made more dynamic if needed.
A smidge of code is duplicated, which can be cleaned up, but I didn't want to touch the v1 code too much for this submission.
Example usage;
Output:
Decoded Payload;
edit: fixed predicate string to use latest version over deprecated.