Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch support attestation log search and bundle to payload hash check #1030

Merged
merged 6 commits into from Nov 14, 2021
Merged

Patch support attestation log search and bundle to payload hash check #1030

merged 6 commits into from Nov 14, 2021

Conversation

houdini91
Copy link
Contributor

Signed-off-by: houdini91 mdstrauss91@gmail.com

Hi guys.
My first PR to cosign hope i am not misunderstanding something critical.

Summary

PR is a patch to the rekor validation flow when using attestation.

  1. When bundle is not present searching for intoto rekor entries would fail because of search was using in to the wrong entry type (rekord vs intoto).
  2. When verifying the attached rekor Bundle the certificate expire was checked and the validity of the bundle signiture.
    I added a hash test between the bundle content hash and actual payload hash.
    I am not sure if the idea is to verify the bundle actual body is the responsibility of the policy.

@houdini91
Patch support attestation log search and bundle to payload hash check
e8222ae 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@houdini91
Fix lint
8fc62e2 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@houdini91
Typo
abcf85f 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
dlorenc
dlorenc reviewed Nov 12, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few small nits! Thanks for tracking this down!

pkg/cosign/verify.go Outdated Show resolved Hide resolved
pkg/cosign/tlog.go
return nil, errors.Wrap(err, "decoding base64 signature")
}

if len(signature) == 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tracking this down! I think I understand the logic, but would you mind leaving a comment here to explain it to future people?

@houdini91
PR fix
564ad5b 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@houdini91 houdini91 force-pushed the suggestion/attest_rekor_support branch from 36bc068 to 564ad5b Compare November 13, 2021 17:51
@houdini91
PR add comment
06f7bf4 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@houdini91
PR fix lint
c72b0c2 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@dlorenc
Copy link
Member

dlorenc commented Nov 14, 2021

Thanks!!!

@dlorenc dlorenc merged commit 5468ddc into sigstore:main Nov 14, 2021
@github-actions github-actions bot added this to the v1.4.0 milestone Nov 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@houdini91 @dlorenc