Skip to content

feat(verification): automatically verify on describe command #1808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Feb 12, 2025
Merged

feat(verification): automatically verify on describe command #1808

merged 24 commits into from
Feb 12, 2025

Conversation

jiparis
Copy link
Member

@jiparis jiparis commented Feb 12, 2025
edited
Loading

This PR adds automatic verification on workflow run describe command, using the trusted root from Chainloop service and verification material from the attestation.
Note that only the signature and certificate chain are validated. Certificate contents validation is not yet implemented (issuer, SAN, etc.)

> chainloop wf run describe --digest sha256:0c432b7de0dde8c1aea926086e9346980c03abecd3461e00bb87413f50466037
┌───────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Workflow                                                                                              │
├─────────────────────────────┬─────────────────────────────────────────────────────────────────────────┤
│ ID                          │ 95f1b597-20e1-498c-b931-fc6d7331860e                                    │
│ Name                        │ mywf                                                                    │
│ Team                        │                                                                         │
│ Project                     │ myproject                                                               │
│ Version                     │ v0.162.0 (prerelease)                                                   │
├─────────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Workflow Run                │                                                                         │
├─────────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ ID                          │ 5fed99ee-c48e-475e-ab9d-2954c1f9b495                                    │
│ Initialized At              │ 12 Feb 25 09:18 UTC                                                     │
│ Finished At                 │ 12 Feb 25 09:19 UTC                                                     │
│ State                       │ success                                                                 │
│ Runner Link                 │                                                                         │
├─────────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Statement                   │                                                                         │
├─────────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Payload Type                │ application/vnd.in-toto+json                                            │
│ Digest                      │ sha256:0c432b7de0dde8c1aea926086e9346980c03abecd3461e00bb87413f50466037 │
│ Verified                    │ true                                                                    │
│ Policies violation strategy │ ADVISORY                                                                │
│ Policies                    │ ------                                                                  │
│                             │ source-commit: Ok                                                       │
│                             │ sbom-present: missing SBOM material                                     │
└─────────────────────────────┴─────────────────────────────────────────────────────────────────────────┘
INF you can use the flag "--output statement" to see the full in-toto statement

jiparis added 22 commits February 10, 2025 20:40
@jiparis
WIP verification with bundle
b9c92d4 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
support multiple CAs
6faa654 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add service interface
c6a1c03 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
implement service
b1073f7 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
lint
2d1194c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
comment config change
74d06f8 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
chart compatibility
90ef32c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
update docs and examples
4b66447 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'PFM-2282-roots' into pfm-2283-verif-chainloop
2b781fc 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
verify with trusted root material
1326f8f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
configure permissions
22c6f31 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
validate issuer
3a72d6c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix tests
499d14b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
validate only one issuer CA
41e4d2d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'pfm-2282-roots' into pfm-2283-verif-chainloop
5c63dbd
@jiparis
add issuer: true
6493981 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'main' into PFM-2282-roots
7080aa1
@jiparis
Merge branch 'pfm-2282-roots' into pfm-2283-verif-chainloop
a49d635
@jiparis
fix
9b1faa5 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'main' into pfm-2283-verif-chainloop
beb0f8c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
better errors
1f0d5ad 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
better errors
a90b9b7 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from javirln and migmartri February 12, 2025 09:44
migmartri
migmartri approved these changes Feb 12, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple and nice.

So if there is a bundle but generated with asymetric keys, the verification error will be swallowed and verify will be still false correct?

@jiparis
lint
1b14aac 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Copy link
Member Author

jiparis commented Feb 12, 2025

Simple and nice.

So if there is a bundle but generated with asymetric keys, the verification error will be swallowed and verify will be still false correct?

Correct. In that case it will detect missing Verification material, and will fallback to prevous behaviour (you'd need --verify true --key cosign.pub to do the verification)

@javirln
Copy link
Member

javirln commented Feb 12, 2025

Love this!

@jiparis
support non keyless scenarios
7402b3b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 9652ebf into chainloop-dev:main Feb 12, 2025
13 checks passed
@jiparis jiparis deleted the pfm-2283-verif-chainloop branch February 12, 2025 10:55
@BrewTestBot BrewTestBot mentioned this pull request Feb 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln javirln approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jiparis @javirln @migmartri