New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tool to check local materials against products of passed link #589
Conversation
Adds new runlib functionary API, to perform basic vetting of materials. More specifically, to check if the **untrusted** materials match the products of a passed **trusted** link metadata file. **Caveat** The used link metadata is not validated against a layout. This means, no checking if the link is part of a certain supply chain, or if it was signed by a threshold of authorized functionaries. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
- Loads link metadata from passed path - Calls runlib API, to record local materials and match with products - Returns 0 if they match, and 1 otherwise. - Optionally provides verbose output. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
1de1a89
to
51b99ca
Compare
kudos to @adityasaky for starting this feature in #582 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very neat and clean! Thanks for picking this one up. 😄
in_toto/in_toto_check_materials.py
Outdated
print(f"Only in products: {name}") | ||
|
||
for name in only_materials: | ||
print(f"Only in materials: {name}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we say something other than materials
? Depending on context of use, it may not fir the materials
terminology, say at the last step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. Although, in the last step we'd still be checking the materials of the last step, right? I think the terminology fits the use case that motivated this. But you are right that the tool could be used for something else too. Let me adopt the naming you suggested in the original PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies, I was thinking of how we'd align it with final product verification if we wanted to in future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I renamed in the last commit. Please re-approve.
Although the use case that motivated this tool, was to check untrusted materials. The tool may also be used to check artifacts that are not materials. In either case, the local artifacts are matched against the products of a link. Hence the new name. h/t @adityasaky Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
c6126b6
to
a955197
Compare
Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Signed-off-by: Lukas Pühringer <luk.puehringer@gmail.com>
Thanks @lukpueh! |
Adds new runlib functionary API, to perform basic vetting of materials. More specifically, to check if the untrusted materials match the products of a passed trusted link metadata file.
Caveat
The used link metadata is not validated against a layout. This means, no checking if the link is part of a certain supply chain, or if it was signed by a threshold of authorised functionaries.
This PR includes: API, CLI, RTD docs, tests and an small unrelated docs fix. Review commit by commit for details.