You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IMPORTANT: This will be potentially superseded by #122
During the attestation process, the CLI will make sure that before crafting, signing and pushing the in-toto attestation to the control-plane, it meets the requirements of the associated workflow contract.
For example, this is an in-progress attestation that requires three materials, two of them have not been provided yet.
$ chainloop att status
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At │ 15 Mar 23 11:48 UTC │
├───────────────────┼──────────────────────────────────────┤
│ Workflow │ 37022b2f-34c3-4f47-9fd7-514b4a7baaad │
│ Name │ build-and-release │
┌───────────────────────────────────────────────────────────┐
│ Materials │
├────────┬─────────────────────┬─────┬──────────┬───────────┤
│ NAME │ TYPE │ SET │ REQUIRED │ IS OUTPUT │
├────────┼─────────────────────┼─────┼──────────┼───────────┤
│ image │ CONTAINER_IMAGE │ Yes │ Yes │ x │
│ binary │ ARTIFACT │ No │ Yes │ │
│ sbom │ SBOM_CYCLONEDX_JSON │ No │ Yes │ │
└────────┴─────────────────────┴─────┴──────────┴───────────┘
When you try to push it, the CLI will complain
$ chainloop att push
ERR some materials have not been crafted yet: binary, sbom
A similar server-side validation is not been performed in the server side.
This task is about implementing server side validations on the control plane API Attestation.Store method
Unpack the received DSSE envelope and extract the attestation,
Make sure that the attestation is for the workflow run we receive as part of the robot-account token
Verify it's content against the contract revision associated with the workflow run.
For a future task, we should look into verifying the DSSE payload by checking the signature, but to do that we might need to also sign the envelope with a key known by the control plane. Currently the payload is signed by a key provided by the user.
The text was updated successfully, but these errors were encountered:
IMPORTANT: This will be potentially superseded by #122
During the attestation process, the CLI will make sure that before crafting, signing and pushing the in-toto attestation to the control-plane, it meets the requirements of the associated workflow contract.
For example, this is an in-progress attestation that requires three materials, two of them have not been provided yet.
When you try to push it, the CLI will complain
A similar server-side validation is not been performed in the server side.
This task is about implementing server side validations on the control plane API Attestation.Store method
chainloop/app/controlplane/api/controlplane/v1/workflow_run.proto
Line 30 in e770fae
This validation must
For a future task, we should look into verifying the DSSE payload by checking the signature, but to do that we might need to also sign the envelope with a key known by the control plane. Currently the payload is signed by a key provided by the user.
The text was updated successfully, but these errors were encountered: