Added support for sha384/sha512 hash algorithms in hashedrekords

[ret2libc]

Summary

Add support for SHA384/512 in hashedrekord type. This PR has been split from #1945 and borrows code from #1958 (from @bobcallaway ).

Release Note

• Extend hashedrekord v0.0.1 schema to support sha256, sha384, and sha512 in data.hash.algorithm
• Changed hashedrekord.CreateFromArtifactProperties to accept a prefixed-checksum (e.g. sha512:<value>) to determine the type of hash used.
• Added util.UnprefixSHA API to split a string into the crypto.Hash being used and its value

Documentation

[ret2libc]

cc @haydentherapper @bobcallaway @woodruffw @tetsuo-cpp

[codecov]

Codecov Report

Attention: 11 lines in your changes are missing coverage. Please review.

Comparison is base (fc28ac1) 66.39% compared to head (0f1f8e3) 66.48%.

Files	Patch %	Lines
pkg/util/sha.go	76.66%	7 Missing ⚠️
pkg/types/hashedrekord/v0.0.1/entry.go	80.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1959      +/-   ##
==========================================
+ Coverage   66.39%   66.48%   +0.08%     
==========================================
  Files          92       92              
  Lines        9199     9246      +47     
==========================================
+ Hits         6108     6147      +39     
- Misses       2347     2355       +8     
  Partials      744      744              

Flag	Coverage Δ
e2etests	47.53% <34.00%> (-0.11%)	⬇️
unittests	47.68% <78.00%> (+0.44%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bobcallaway]

I know this is probably because the function above included sha1, but I think we should remove this (and the stanza above). There's no other use of that AFAIK in sigstore, and I wouldn't want to perpetuate this.

[bobcallaway]

actually, i think it is used to search for entries from gitsign, im working to confirm

@wlynch - any thoughts?

[bobcallaway]

#499

[bobcallaway]

nm, i think we need to leave this - but it would be nice to add a test case that calls CreateFromArtifactProperties with a proposed sha1 value to ensure that it doesn't somehow end up in the log.

[ret2libc]

Added it in 6903f5f . Please let me know if this is what you meant, otherwise I can adjust it.

[wlynch]

We don't use this for gitsign today - gitsign does a sha256 over the commit content + sha1 for rekor.

(though it would be a neat way to remove some of the chattiness gitsign has today with it's sha -> rekor entry lookup 🤔 )

Since it looks like this is already done + tests were added, I say keep it. We can revisit removing it later.

[haydentherapper]

LGTM, can you add the one test bob mentioned?

[bobcallaway]

Could you switch this to use the same pattern as above where you call CreateFromArtifactProperties? That is the call path that is at risk (as the JSON Schema validation will fail the API request)

[woodruffw]

Doing this now!

[woodruffw]

Done in 0f1f8e3: I've moved this out of e2e since it no longer needs access to a runtime Rekor instance.

[ret2libc]

The reason why I did not use CreateFromArtifactProperties is that the test would fail in CreateFromArtifactProperties on the client side and and not on the rekor server side. Thus I wanted to test that the server did not accept it rather than just checking the client.

[woodruffw]

The reason why I did not use CreateFromArtifactProperties is that the test would fail in CreateFromArtifactProperties on the client side and and not on the rekor server side. Thus I wanted to test that the server did not accept it rather than just checking the client.

That makes sense, but I think @bobcallaway is pointing out that the server side is already checked by virtue of the JSON Schema Validation -- we could include both checks, though (with the non-e2e doing CreateFromArtifactProperties and the e2e doing it manually).