Merge branch 'main' into attestor-json-schema

Signed-off-by: John Kjell <john@testifysec.com>

.github/workflows/codeql.yml

@@ -52,6 +52,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
+      - name: Setup Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: 1.21.x
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3

cmd/run.go

@@ -71,11 +71,6 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 		return fmt.Errorf("no signers found")
 	}
 
-	out, err := loadOutfile(ro.OutFilePath)
-	if err != nil {
-		return fmt.Errorf("failed to open out file: %w", err)
-	}
-
 	timestampers := []timestamp.Timestamper{}
 	for _, url := range ro.TimestampServers {
 		timestampers = append(timestampers, timestamp.NewTimestamper(timestamp.TimestampWithUrl(url)))
@@ -117,7 +112,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 			continue
 		}
 
-		attestor, err = registry.SetOptions(attestor, setters...)
+		attestor, err := registry.SetOptions(attestor, setters...)
 		if err != nil {
 			return fmt.Errorf("failed to set attestor option for %v: %w", attestor.Type(), err)
 		}
@@ -132,36 +127,48 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 		roHashes = append(roHashes, cryptoutil.DigestValue{Hash: hash, GitOID: false})
 	}
 
-	defer out.Close()
-	result, err := witness.Run(
+	results, err := witness.RunWithExports(
 		ro.StepName,
 		witness.RunWithSigners(signers...),
 		witness.RunWithAttestors(attestors),
 		witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
 		witness.RunWithTimestampers(timestampers...),
+		witness.RunWithSigners(signers...),
 	)
 	if err != nil {
 		return err
 	}
 
-	signedBytes, err := json.Marshal(&result.SignedEnvelope)
-	if err != nil {
-		return fmt.Errorf("failed to marshal envelope: %w", err)
-	}
+	for _, result := range results {
+		signedBytes, err := json.Marshal(&result.SignedEnvelope)
+		if err != nil {
+			return fmt.Errorf("failed to marshal envelope: %w", err)
+		}
 
-	log.Infof("Writing signed envelope to %s\n", ro.OutFilePath)
-	if _, err := out.Write(signedBytes); err != nil {
-		return fmt.Errorf("failed to write envelope to out file: %w", err)
-	}
+		// TODO: Find out explicit way to describe "prefix" in CLI options
+		outfile := ro.OutFilePath
+		if result.AttestorName != "" {
+			outfile += "-" + result.AttestorName + ".json"
+		}
 
-	if ro.ArchivistaOptions.Enable {
-		archivistaClient := archivista.New(ro.ArchivistaOptions.Url)
-		if gitoid, err := archivistaClient.Store(ctx, result.SignedEnvelope); err != nil {
-			return fmt.Errorf("failed to store artifact in archivista: %w", err)
-		} else {
-			log.Infof("Stored in archivista as %v\n", gitoid)
+		out, err := loadOutfile(outfile)
+		if err != nil {
+			return fmt.Errorf("failed to open out file: %w", err)
+		}
+		defer out.Close()
+
+		if _, err := out.Write(signedBytes); err != nil {
+			return fmt.Errorf("failed to write envelope to out file: %w", err)
 		}
-	}
 
+		if ro.ArchivistaOptions.Enable {
+			archivistaClient := archivista.New(ro.ArchivistaOptions.Url)
+			if gitoid, err := archivistaClient.Store(ctx, result.SignedEnvelope); err != nil {
+				return fmt.Errorf("failed to store artifact in archivista: %w", err)
+			} else {
+				log.Infof("Stored in archivista as %v\n", gitoid)
+			}
+		}
+	}
 	return nil
 }

cmd/verify.go

@@ -143,25 +143,25 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 				log.Error("Step: ", step)
 				for _, p := range result.Rejected {
 					if p.Collection.Collection.Name != "" {
-						return fmt.Errorf("collection rejected: %s, Reason: %s ", p.Collection.Collection.Name, p.Reason)
+						log.Errorf("collection rejected: %s, Reason: %s ", p.Collection.Collection.Name, p.Reason)
 					} else {
-						return fmt.Errorf("verification failure: Reason: %s", p.Reason)
+						log.Errorf("verification failure: Reason: %s", p.Reason)
 					}
 				}
 			}
 		}
 		return fmt.Errorf("failed to verify policy: %w", err)
-	}
-
-	log.Info("Verification succeeded")
-	log.Info("Evidence:")
-	num := 0
-	for step, result := range verifiedEvidence.StepResults {
-		log.Info("Step: ", step)
-		for _, p := range result.Passed {
-			log.Info(fmt.Sprintf("%d: %s", num, p.Reference))
-			num++
+	} else {
+		log.Info("Verification succeeded")
+		log.Info("Evidence:")
+		num := 0
+		for step, result := range verifiedEvidence.StepResults {
+			log.Info("Step: ", step)
+			for _, p := range result.Passed {
+				log.Info(fmt.Sprintf("%d: %s", num, p.Reference))
+				num++
+			}
 		}
+		return nil
 	}
-	return nil
 }

go.mod

@@ -5,7 +5,7 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/in-toto/go-witness v0.3.1
+	github.com/in-toto/go-witness v0.3.2-0.20240509152614-87975b4168e0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
@@ -87,6 +87,7 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
 	github.com/in-toto/archivista v0.4.0 // indirect
+	github.com/in-toto/attestation v1.0.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jellydator/ttlcache/v3 v3.2.0 // indirect

go.sum

@@ -208,8 +208,10 @@ github.com/hashicorp/hcl v1.0.1-vault-3 h1:V95v5KSTu6DB5huDSKiq4uAfILEuNigK/+qPE
 github.com/hashicorp/hcl v1.0.1-vault-3/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/in-toto/archivista v0.4.0 h1:5g79iqmyXblnnwuD+768lrEbeoE0V5H7URYJFnr0p4I=
 github.com/in-toto/archivista v0.4.0/go.mod h1:HgqAu7az0Ql0Jf844Paf0Ji5PdUMKxO5JIBh4hOjMs8=
-github.com/in-toto/go-witness v0.3.1 h1:Z2GSjGJ0o6FZ+mySSnz+Gc7JQ160/O5eeihMIpiTz8U=
-github.com/in-toto/go-witness v0.3.1/go.mod h1:xPxYQ+G37T+tHqW460iGAgdpF6c2EnUZiQJj+PFqxFY=
+github.com/in-toto/attestation v1.0.1 h1:DgX1XuBkryTpj1Piq8AiMK3CMfEcec3Qv6+Ku+uI3WY=
+github.com/in-toto/attestation v1.0.1/go.mod h1:hCR5COCuENh5+VfojEkJnt7caOymbEgvyZdKifD6pOw=
+github.com/in-toto/go-witness v0.3.2-0.20240509152614-87975b4168e0 h1:8HhlzOFtPbF0dwHbR/IkJqMfMJb7U9oeNk+K1NCz4+Y=
+github.com/in-toto/go-witness v0.3.2-0.20240509152614-87975b4168e0/go.mod h1:inBxgdAup1od08yUYWEMdGVOIRy3hnPVRCkKrtBArTg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -394,8 +396,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
-go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=
-go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ=
+go.step.sm/crypto v0.44.8 h1:jDSHL6FdB1UTA0d56ECNx9XtLVkewzeg38Vy3HWB3N8=
+go.step.sm/crypto v0.44.8/go.mod h1:QEmu4T9YewrDuaJnrV1I0zWZ15aJ/mqRUfL5w3R2WgU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=