feat: add offline bundle signature verification #457
Conversation
Signed-off-by: Asra Ali <asraa@google.com>
asraa
changed the title
| }{ | ||
| { | ||
| name: "valid", | ||
| path: "./testdata/bundle/attestation.intoto.sigstore", |
There was a problem hiding this comment.
we'll add invalid / adversarial ones inn the future?
There was a problem hiding this comment.
Just added one or two that were easily to manipulate without creating a test Rekor signer. Filed a follow-up issue
#461
We'll be generating a suite from sigstore-go pretty soon, so we can close this out either by borrowing cases there or moving the code to call a verification func there that's tested.
verifiers/internal/gha/rekor.go
Outdated
| @@ -67,13 +67,17 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entry | |||
| return nil, errors.New("expected matching UUID") | |||
| } | |||
| // Validate the entry response. | |||
| return verifyTlogEntry(ctx, rekorClient, entry) | |||
| return verifyTlogEntry(ctx, entry, true) | |||
There was a problem hiding this comment.
iiuc, we'll perform an online verification by default to be consistent with our existing code. And we'll provide an option to turn it off in the futuer, e.g. rekor-log-offline?
There was a problem hiding this comment.
Right now the existing code still validates the inclusion proof (which requires online).
I haven't configured augmenting the offline verification with an online proof yet, this code just checks verification of the offline material. I'll file an issue though to augment with an option to check inclusion online as well.
|
qq: does the verification also verifies the SCT (ie the fulcio CA cert was recorded in the TLS CT log)? somewhat related: something we need to do is unable this for the TLS connection as well #458 |
Yes! By default now the check is on
Hmm not sure I totally understand this. The leaf cert is in the CT log. |
asraa
changed the title
+1
Are CA certs (ie Fulcio cert) in CT log as well? Do we care? How about rekor cert (which is a leaf cert)? Do we care? Which are verified? |
Oh, yes the CA cert is in the CT log. SCT verification being enforced now (regenerating test cases, this is why they are failing) checks the offline promise of that. We don't check them online, but neither does normal CT. So this part is now enforced/verified.
This I do not understand. Rekor signs with a public key that is retrieved from the TUF root and does not have a leaf cert. |
OK. I thought maybe there was a cert issued as well. Ignore my comment then. |
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
| @@ -17,6 +17,9 @@ var ( | |||
| trustedBuilderRepository = "slsa-framework/slsa-github-generator" | |||
| e2eTestRepository = "slsa-framework/example-package" | |||
| certOidcIssuer = "https://token.actions.githubusercontent.com" | |||
| // This is used in cosign's CheckOpts for validating the certificate. We | |||
| // do specific builder verification after this. | |||
| certSubjectRegexp = "https://github.com/*" | |||
There was a problem hiding this comment.
that will also be necessary for npm provenance verification (the one without the trusted builder)
There was a problem hiding this comment.
do we intend on verifying non-L3 provenance though?
but yes - it's just a nit that cosign v2 requires some validation on it so I had to add it even though we do a more detail check on it later.
|
LGTM to merge. |
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Asra Ali asraa@google.com