Skip to content

feat(policies): expose signing options in attestation #2007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 30, 2025
Merged

feat(policies): expose signing options in attestation #2007

merged 3 commits into from
Apr 30, 2025

Conversation

jiparis
Copy link
Member

@jiparis jiparis commented Apr 30, 2025
edited
Loading

This PR adds signing options to the statement predicate. This is convenient to create policies that check for signing configurations (regardless of the final signing method used for the attestation).
New properties are:

  • signingCA (name of the CA provider configured)
  • signingTSA (TSA URL)

This is a best effort to detect best practices at crafting time.

> chainloop wf run describe --id 7d836fc3-287d-46ec-82ca-1c469324e866 -o statement
WRN API contacted in insecure mode
{
   "type": "https://in-toto.io/Statement/v1",
   "subject": [
      {
         "name": "chainloop.workflow.mywf",
         "digest": {
            "sha256": "8a33f95f7deb814a5515a5e8b1bbcd3a18ae341e000e55793f1b121321add447"
         }
      },
      {
         "name": "git.head",
         "digest": {
            "sha1": "1eead8a0bbe0bad68577c4993b2fb17da5f7162c"
         },
        ...
   ],
   "predicate_type": "chainloop.dev/attestation/v0.2",
   "predicate": {
      "buildType": "chainloop.dev/workflowrun/v0.1",
      "builder": {
         "id": "chainloop.dev/cli/dev@sha256:18af0c5f7fe44f6a0c704902b1be82d7dd6865a64035313cf9b7e9e352d3a1c5"
      },
      "metadata": {
          ...
      },
     ...

      "signingCA": "fileCA"
   }
}

jiparis added 2 commits April 30, 2025 14:16
@jiparis
retrieve configured signer in signing options
1eead8a 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
expose signing options in attestation
bf8675a 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from migmartri and javirln April 30, 2025 14:09
@jiparis
fix tests
0490f4f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit f81189d into chainloop-dev:main Apr 30, 2025
13 checks passed
@jiparis jiparis deleted the COM-76-signingoptions branch April 30, 2025 14:25
@BrewTestBot BrewTestBot mentioned this pull request May 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javirln javirln javirln approved these changes

@migmartri migmartri Awaiting requested review from migmartri

+1 more reviewer

@joao-krauchenco-mottu joao-krauchenco-mottu joao-krauchenco-mottu approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jiparis @javirln @joao-krauchenco-mottu