Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestation Transparency! #321

Merged
merged 1 commit into from
Jun 7, 2021
Merged

Attestation Transparency! #321

merged 1 commit into from
Jun 7, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Jun 2, 2021
edited
Loading

This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

TODO:

  • End to End tests
  • Size limits for attestations
  • Figure out storage key (UUID of entry or of attestation? How to verify attestation hash? We store only the "statement", not the overall envelope. Maybe store both?)

Signed-off-by: Dan Lorenc dlorenc@google.com

@dlorenc dlorenc force-pushed the storage branch 4 times, most recently from 0aca0a4 to 70ffb41 Compare June 5, 2021 20:55
@dlorenc dlorenc changed the title WIP: Attestation Transparency! Attestation Transparency! Jun 5, 2021
@dlorenc dlorenc force-pushed the storage branch 11 times, most recently from 01b7c59 to 010daaa Compare June 5, 2021 23:41
Add support for storing in-toto Attestations outside the log.
2db08db 
This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

Signed-off-by: Dan Lorenc <dlorenc@google.com>
bobcallaway
bobcallaway approved these changes Jun 7, 2021
View reviewed changes
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one question, but LGTM otherwise

tests/e2e_test.go
uuid := getUUIDFromUploadOutput(t, out)

// The atteestation should be stored at /var/run/attestations/$uuid
cmd := exec.Command("docker", "run", "-v", "/var/run/attestations:/var/run/attestations", "alpine", "cat", "/var/run/attestations/"+uuid)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could this be simplified to just read directly from /var/run/attestations/ on the host?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not always, especially in CI you're typically running in a container too with the docker socket mounted in.

It's the same roughly for Mac or anywhere that you have docker in a VM.

@dlorenc dlorenc merged commit f3ce796 into sigstore:main Jun 7, 2021
@dlorenc dlorenc deleted the storage branch June 7, 2021 12:25
@cpanato cpanato added this to the 0.2.0 milestone Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@dlorenc @bobcallaway @cpanato