Add --verification-keys (subjectPublicKeyInfo) arg to in-toto-verify #652
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lukpueh
force-pushed
the
in-toto-verify-add-subjectPublicKeyInfo
branch
3 times, most recently
from
1e087f8
to
219ad27
Compare
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 24, 2023
blocks on in-toto#652 ---- Changes `in-toto-sign` to expect pem/pkcs8 signing keys and pem/subjectPublicKeyInfo verification keys passed with the `--key` argument. `--key-type` is now obsolete and removed. Otherwise the behavior of in-toto-sign remains the same. This is part of a series of patches to prepare for removal of legacy securesystemslib interfaces and key file formats. **Change details** Unlike, in-toto-verify (in-toto#652) and in-toto-run/record (in-toto#651, in-toto#649), where new arguments were introduced for the new formats, and deprecation warnings were added to the old arguments, in-toto-sign is changed directly. This is because, the main use cases for in-toto-sign have been: - in-toto maintainers re-signing test/demo metadata - layout-web-tool users signing online-generated layouts Given that the layout-web-tool is currently offline for revision (in-toto/layout-web-tool#70) and in-toto maintainers should be easily able to adapt, a direct change is not expected to disrupt anyone's operations. IMO this can even be released as part of a minor version bump. **Test change details** - use new pre-generated key files instead of demo key files (but keep using demo metadata) - update expected keyid link file name where necessary - remove `--key-type` in cli invocations - remove `--key-type` -specific tests - remove obsolete test case, which uses 4 keys Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 27, 2023
As we are switching to a standard key file format (see in-toto#649, in-toto#651 and in-toto#652), we no longer need to maintain a custom command line tool, to generate key files in a proprietary in-toto/securesystemslib format. Docs on how to migrate existing key or generate new key files with standard tooling (`pyca/cryptography` or `openssl` cli) are available in: https://github.com/secure-systems-lab/securesystemslib#legacy-key-migration Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Merged
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 28, 2023
blocks on in-toto#652 Refactor `Layout.add_functionary_key_from_path()` to use new public key loading infrastructure, in preparation for the removal of legacy securesystemslib modules and key (file) formats. Coincidentally, this method used to only support rsa public keys, and the legacy key loader already supported PEM/subjectPublicKeyInfo format for rsa, which is now supported for all key types. This means, the patch is backwards compatibility for rsa keys and adds support for ed25519 and ecdsa keys. The patch also changes tests to use new test key files and try all 3 supported formats. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This was referenced Nov 28, 2023
lukpueh
force-pushed
the
in-toto-verify-add-subjectPublicKeyInfo
branch
from
219ad27
to
9de11d5
Compare
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Dec 4, 2023
blocks on in-toto#652 ---- Changes `in-toto-sign` to expect pem/pkcs8 signing keys and pem/subjectPublicKeyInfo verification keys passed with the `--key` argument. `--key-type` is now obsolete and removed. Otherwise the behavior of in-toto-sign remains the same. This is part of a series of patches to prepare for removal of legacy securesystemslib interfaces and key file formats. **Change details** Unlike, in-toto-verify (in-toto#652) and in-toto-run/record (in-toto#651, in-toto#649), where new arguments were introduced for the new formats, and deprecation warnings were added to the old arguments, in-toto-sign is changed directly. This is because, the main use cases for in-toto-sign have been: - in-toto maintainers re-signing test/demo metadata - layout-web-tool users signing online-generated layouts Given that the layout-web-tool is currently offline for revision (in-toto/layout-web-tool#70) and in-toto maintainers should be easily able to adapt, a direct change is not expected to disrupt anyone's operations. IMO this can even be released as part of a minor version bump. **Test change details** - use new pre-generated key files instead of demo key files (but keep using demo metadata) - update expected keyid link file name where necessary - remove `--key-type` in cli invocations - remove `--key-type` -specific tests - remove obsolete test case, which uses 4 keys Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Dec 4, 2023
blocks on in-toto#652 Refactor `Layout.add_functionary_key_from_path()` to use new public key loading infrastructure, in preparation for the removal of legacy securesystemslib modules and key (file) formats. Coincidentally, this method used to only support rsa public keys, and the legacy key loader already supported PEM/subjectPublicKeyInfo format for rsa, which is now supported for all key types. This means, the patch is backwards compatibility for rsa keys and adds support for ed25519 and ecdsa keys. The patch also changes tests to use new test key files and try all 3 supported formats. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
blocks on: - in-toto#649 --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and convert it to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. in-toto-verify uses this for keys passed with --subjectPublicKeyInfo. NOTE: requires unreleased securesystemslib API, which **blocks** this PR. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This aligns with the rename of the corresponding private key argument to a less technical name. (--pkcs -> --signing_key) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Copy TestInTotoVerifySubjectPublicKeyInfoKeys to TestInTotoVerifySubjectPublicKeyInfoKeysAndUseDSSE, using dsse demo files. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
force-pushed
the
in-toto-verify-add-subjectPublicKeyInfo
branch
from
9de11d5
to
4c8f124
Compare
lukpueh
changed the title
lukpueh
changed the title
adityasaky
approved these changes
Dec 6, 2023
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Dec 6, 2023
Changes `in-toto-sign` to expect pem/pkcs8 signing keys and pem/subjectPublicKeyInfo verification keys passed with the `--key` argument. `--key-type` is now obsolete and removed. Otherwise the behavior of in-toto-sign remains the same. This is part of a series of patches to prepare for removal of legacy securesystemslib interfaces and key file formats. **Change details** Unlike, in-toto-verify (in-toto#652) and in-toto-run/record (in-toto#651, in-toto#649), where new arguments were introduced for the new formats, and deprecation warnings were added to the old arguments, in-toto-sign is changed directly. This is because, the main use cases for in-toto-sign have been: - in-toto maintainers re-signing test/demo metadata - layout-web-tool users signing online-generated layouts Given that the layout-web-tool is currently offline for revision (in-toto/layout-web-tool#70) and in-toto maintainers should be easily able to adapt, a direct change is not expected to disrupt anyone's operations. IMO this can even be released as part of a minor version bump. **Test change details** - use new pre-generated key files instead of demo key files (but keep using demo metadata) - update expected keyid link file name where necessary - remove `--key-type` in cli invocations - remove `--key-type` -specific tests - remove obsolete test case, which uses 4 keys Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Dec 6, 2023
Changes `in-toto-sign` to expect pem/pkcs8 signing keys and pem/subjectPublicKeyInfo verification keys passed with the `--key` argument. `--key-type` is now obsolete and removed. Otherwise the behavior of in-toto-sign remains the same. This is part of a series of patches to prepare for removal of legacy securesystemslib interfaces and key file formats. **Change details** Unlike, in-toto-verify (in-toto#652) and in-toto-run/record (in-toto#651, in-toto#649), where new arguments were introduced for the new formats, and deprecation warnings were added to the old arguments, in-toto-sign is changed directly. This is because, the main use cases for in-toto-sign have been: - in-toto maintainers re-signing test/demo metadata - layout-web-tool users signing online-generated layouts Given that the layout-web-tool is currently offline for revision (in-toto/layout-web-tool#70) and in-toto maintainers should be easily able to adapt, a direct change is not expected to disrupt anyone's operations. IMO this can even be released as part of a minor version bump. **Test change details** - use new pre-generated key files instead of demo key files (but keep using demo metadata) - update expected keyid link file name where necessary - remove `--key-type` in cli invocations - remove `--key-type` -specific tests - remove obsolete test case, which uses 4 keys Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
EDIT 2023/12/05: rename
--subjectPublicKeyInfoto--verification-keys, and test also test with dsse demo filesThis is meant as replacement for
--layout-keys, supporting aconsistent standard key file format (subjectPublicKeyInfo/pem).
It is part of a series of patches to prepare for deprecation of legacy
securesystemslib interfaces and key file formats.
Change details
Adds helper to load public key file as SSlibKey and convert it to its
dictionary representation with the keyid included, to make it compatible
with verifylib.in_toto_verify.
in-toto-verify uses this for keys passed with --verification-keys.
In the future we might want to support Key (SSlibKey's base class)
natively in in_toto_verify.
This PR also adds a deprecation warning for --layout-keys and tests
using the demo supply chain.
Test public key files come from secure-systems-lab/securesystemslib#604.