Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Docs] Update readme with issues encountered and workaround #186

Merged
merged 2 commits into from
Mar 15, 2024
Merged

[Docs] Update readme with issues encountered and workaround #186

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ba97538
update readme
sumitis14 Mar 15, 2024
2f11760
add issues/workaround to demo readme
sumitis14 Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 21 additions & 4 deletions demo/cts_poc/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# CTS PoC Demo

This demo provides a simple and generic Proof of Concept for a Code Transparency Service (CTS) using the SCITT CCF ledger. The scripts provided in this folder allow configuring a new SCITT CCF instance, generating and submitting claims in COSE format, getting a SCITT receipt for a submitted claim, and verifying the receipt validity.
This demo provides a simple and generic Proof of Concept for a Code Transparency Service (CTS) using the SCITT CCF ledger. The scripts provided in this folder allow configuring a new SCITT CCF instance, generating and submitting claims in COSE format, getting a SCITT receipt for a submitted claim, and verifying the receipt validity.

## Prerequisites

Expand Down Expand Up @@ -39,7 +39,7 @@ All the commands must be run from the root of the repository.
export SCITT_URL=<address>
```

If the `SCITT_URL` variable is not set, the scripts will target a local instance by default (`http://localhost:8000`).
If the `SCITT_URL` variable is not set, the scripts will target a local instance by default (`https://localhost:8000`).

2. Run the [`1-operator-demo.sh`](1-operator-demo.sh) to configure the instance. Here a pre-generated x509 CA is used `demo-poc/x509_roots/cacert.pem` but you can add your own if using Key Vault. Furthermore, if you have [DID WEB TLS roots](../../docs/configuration.md#did-web-tls-roots) you would like to configure, you can specify the path to the certificate file with the `DID_WEB_ROOT_PATH` environment variable.

Expand Down Expand Up @@ -67,6 +67,8 @@ SIGNING_METHOD="cacert" CACERT_PATH="demo-poc/x509_roots/cacert.pem" PRIVATE_KEY

##### Option 2. Use DID document and private key

**Note**: This step assumes that user already has DID configured. For more details you can also check github DID demo [here](../github/README.md)

If you have a DID document and the corresponding private key, you can use those for creating the signature with a similar command:

```bash
Expand All @@ -79,22 +81,25 @@ You will need the details about your keys and your identity needs to have access

- The CA if there is one or the self signed cert needs to be configured in the instance
- Download the certificates to include in the x5c header:

```bash
az keyvault certificate download --vault-name $VAULT_NAME -n $CERT_NAME -f demo-poc/x509_roots/cacert.pem -e PEM
```

- If the certificate has an issuer CA then download it and append it to the same file:

```bash
openssl x509 -noout -text -in demo-poc/x509_roots/cabundle.pem -inform PEM | grep URI
CA Issuers - URI:http://www.issuer.com/pkiops/certs/2024.crt
curl -s "http://www.issuer.com/pkiops/certs/2024.crt" | openssl x509 >> demo-poc/x509_roots/cacert.pem
```

- Prepare Key Vault config file for the script to use:

```bash
echo '{"keyVaultName": "$VAULT_NAME", "certificateName": "$CERT_NAME", "certificateVersion": "$CERT_VER"}' > demo-poc/akv.json
```

- Run the script

```bash
Expand All @@ -105,7 +110,7 @@ You will need the details about your keys and your identity needs to have access

If you want to generate a signature with a self-signed certificate in Azure Key Vault for a container image present in an Azure Container Registry, you can use the [2b-notary-sign.sh](2b-notary-sign.sh) script. The script uses [Notation](https://github.com/notaryproject/notation) to create the image signature in ACR using the input Key Vault certificate. It then uses [ORAS](https://oras.land/) to fetch the image signature as a COSE object, ready to be submitted to a SCITT ledger.

The process to sign a container image with Notation and Azure Key Vault using a self-signed certificate is documented [here](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push). Please note that a pre-requisite for this script is to have a Key Vault instance with a self-signed certificate compatible with the [Notary Project certificate requirements](https://github.com/notaryproject/specifications/blob/main/specs/signature-specification.md#certificate-requirements). You can find more information on how to create a compatible self-signed certificate in AKV [here](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push#create-a-self-signed-certificate-in-akv-azure-cli).
The process to sign a container image with Notation and Azure Key Vault using a self-signed certificate is documented [here](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push). Please note that a pre-requisite for this script is to have a Key Vault instance with a self-signed certificate compatible with the [Notary Project certificate requirements](https://github.com/notaryproject/specifications/blob/main/specs/signature-specification.md#certificate-requirements). You can find more information on how to create a compatible self-signed certificate in AKV [here](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push#create-a-self-signed-certificate-in-akv-azure-cli).

For running the script, you can provide the following environment variables:

Expand All @@ -128,3 +133,15 @@ The script will submit the COSE claim to the SCITT ledger and will wait for a re
COSE_CLAIMS_PATH="demo-poc/payload.sig.cose" OUTPUT_FOLDER="demo-poc" ./demo/cts_poc/3-client-demo.sh
```

#### Known Issues and Workaround for Local Virtual SGX Build

- If you encounter an "unknown service identity" error during the claim submission process, it may be due to attempting to sign and submit using both DID and X509 simultaneously.
> ValueError: Unknown service identity '6234efjkfhbsd1random000hash0jkbfdsbfdsjbfg'

_Workaround:_ To avoid this, ensure you use either X509 or DID exclusively throughout the entire demo.
- Proposal failing with 403
> enclave:../src/node/rpc/member_frontend.h:103 - POST /gov/proposals returning error 403: Member m[1e6aee66336c09bf4random8b55398nodeb3d2e08478c092491459a6063] is not active.

This means the scitt instance is not configured properly.
_Workaround:_ To configure on local, run following command and re-try:
> ./pyscitt.sh governance local_development --url $SCITT_URL
Loading