Skip to content

chore(signing): verify signature on att push #2606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiparis merged 2 commits into from
Dec 5, 2025
Merged

chore(signing): verify signature on att push #2606

jiparis merged 2 commits into from
Dec 5, 2025

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Dec 5, 2025

This change ensures that the attestation bundle is verified on attestation push, failing if the signature is not recognized (only when chainloop is the signer)

@jiparis
verify signature on att push
b43825f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from javirln and migmartri December 5, 2025 15:24
@jiparis
remove space
5d53b0d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Dec 5, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome

app/controlplane/pkg/biz/workflowrun.go
}

// verify attestation (only if chainloop is the signer)
result, err := uc.verifyBundle(ctx, rawContent)
Copy link
Member

@migmartri migmartri Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is the logic that makes sure the bundle is verified when keyless signing was used?

migmartri
migmartri approved these changes Dec 5, 2025
View reviewed changes
app/controlplane/pkg/biz/workflowrun.go

func (uc *WorkflowRunUseCase) Verify(ctx context.Context, run *WorkflowRun) (*VerificationResult, error) {
func (uc *WorkflowRunUseCase) VerifyRun(ctx context.Context, run *WorkflowRun) (*VerificationResult, error) {
return uc.verifyBundle(ctx, run.Attestation.Bundle)
Copy link
Member

@migmartri migmartri Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any case where run.Attestation would be empty?

Copy link
Member

@migmartri migmartri Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems it will not, makes sense.

app/controlplane/pkg/biz/workflowrun.go
}

// if it's verifiable, make sure it passed
if result != nil && !result.Result {
Copy link
Member

@migmartri migmartri Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, so result will be nil if can't be verified? I'd make it more explicit somehow

Copy link
Member Author

@jiparis jiparis Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes in that case it would return nil, nil. I agree it should return something more explicit.

@jiparis jiparis merged commit ed92f11 into chainloop-dev:main Dec 5, 2025
16 of 17 checks passed
@jiparis jiparis deleted the verify-on-push branch December 5, 2025 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiparis @migmartri