Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support single-subject attestations #219

Open
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

AA-Turner
Copy link

@AA-Turner AA-Turner commented Feb 28, 2025

Closes #213, cc @phillmv.

A

Copy link
Author

@AA-Turner AA-Turner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The gigantic diff is as I ran npm run bundle, which regenerated the index.js file -- let me know if this should be reverted.

A

Copy link
Contributor

@phillmv phillmv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello! This was extremely prompt, so I feel I owe you a prompt review.

I hereby request some changes:

  • please delete the your generated index.js; this file really ought to be built automatically inside Actions but………… if we haven't set that automation up, then it really needs to have been generated by one of our maintainers :)
  • if you unwind the createSingle/Multi functions so createAttestation is called directly inside the if (inputs.singleSubjectAttestations) { statement then we don't need to modify the AttestResult type / the log functions don't have to be modified either
  • I left some comments on the log functions, let's avoid modifying their signatures, keeps this diff even simpler.

Thanks!,

src/main.ts Outdated
attestation: AttestResult,
sigstoreInstance: SigstoreInstance
): void => {
const subjects = attestation.attestationSubjects
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we unwind createSingle/Multi attestations, we can call this like we did before.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've now reverted this (logAttestation) to the previous state, passing the full subjects list instead of a per-attestation attestationSubjects. I'm not sure though that this is the right change to make.

The current design of actions/attest@v2 has a single attestation with multiple subjects. logAttestation is thus only ever called once, with the full list of subjects. This list of subjects matches the subjects attested in the single attestation. Should there only be a single artefact, the name and SHA256 digest are printed, else the number of subjects is printed.

This PR introduces a 1:1 relationship between subjects and attestations. We now call logAttestation once per attestation generated, but each time with the full list of subjects. We should thus print the name and digest of the single subject each time -- but we can't, as there's no easy way of linking the attested subject to the created attestation (I have looked through the fields of the Attestation type).

The result is that we only print the name and digest if there is exactly one subject being attested (i.e. the behaviour is the same regardless of this PR), and that for more than one subject we print "Attestation created for N subjects", N times. Clearly this is wrong.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects. I understand not wanting to unnecessarily change the AttestationResult type, so the latter option may be the most pragmatic. (see below for context on why I contend that printing subjects is valuable, though).


The other half of this, and the reason behind my change to logSummary(), is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out. One can introspect the name by base64-decoding the DSSE Envelope's payload & extracting the inner subject key, but this isn't exactly ergonomic. Especially for glob input, I do feel that this action should print the names (and digests) of the attested subjects for overview and debugging.

Ideally, the underlying JavaScript / TypeScript code would be changed to allow easier access to the names of subjects, obviating the need for the custom attestationSubjects list, but I don't know if this is possible given that Sigstore specifications must be adhered to.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects.

Shall we remove the == 1 check and the need to pass in subjects at all 😅 ?

is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out.

Genuine curiosity: how and why do you need this output? Just entirely for debugging?

(For the record, my interest here is in just keeping a small and tidy PR).

I'd support a) ditching subjects as a param to logAttestation and just having a logSubjects that prints the list separately with formatSubjectDigest 🙂.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects.

Shall we remove the == 1 check and the need to pass in subjects at all 😅 ?

This might end up being the most pragmatic option for this PR.

is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out.

Genuine curiosity: how and why do you need this output? Just entirely for debugging?

(For the record, my interest here is in just keeping a small and tidy PR).

I agree small PRs are better. For the short term, the output is useful as a sanity check / for debugging. Longer term, it would be great to have some access to the names of subjects via the Attestation object, as my use-case involves converting to PEP 740 attestations for the Python Package Index, for which I need to know the filename of the subject.

I have pushed a logSubjects change as you suggest @phillmv.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Longer term, it would be great to have some access to the names of subjects via the Attestation object, as my use-case involves converting to PEP 740 attestations for the Python Package Index, for which I need to know the filename of the subject.

@AA-Turner is your idea that you would get this via sigstore/sigstore-js? if you want an easy way to pop this info, I hereby suggest:

gh at inspect --format=json bundle.json |jq .inspectedBundles[].statement.subject[].name

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is where my typescript knowledge ends! I don't know if it should be in sigstore, the JS library underlying this action, or some other location. My basic goal is to extract the subject names from JSON.

Currently, I have a custom Python script (convert_attestations.py) that does this, but to get the subjects it needs to extract base64-encoded JSON, rather than subjects just being a key at any level of the actual attestation JSON.

I ran the command you suggest ('at' are my initials, fun), and it seems to get the data that I need -- but running an external command isn't great here (I want to trust as few tools as possible whilst converting attestations), and I can't guarantee that all project contributors will have the gh CLI tool.

Thank you for the suggestions, though!

A

@AA-Turner
Copy link
Author

This was extremely prompt, so I feel I owe you a prompt review.

Thank you. I have no real experience with TypeScript, but it seems fairly straightforwards. I do apologise as I'm not particularly familiar with custom & practice in the TypeScript world, though.

please delete the your generated index.js

Done.

if you unwind the createSingle/Multi functions so createAttestation is called directly inside the if (inputs.singleSubjectAttestations) { statement then we don't need to modify the AttestResult type / the log functions don't have to be modified either

Done & reverted (see my mini-essay comment re attestationSubjects, though -- sorry!)

I left some comments on the log functions, let's avoid modifying their signatures, keeps this diff even simpler.

I believe everything is reverted. Still a larger diff than I'd like, but +60/-20 seems much more reasonable.

A

@phillmv
Copy link
Contributor

phillmv commented Mar 4, 2025

I've seen your comments @AA-Turner and left you a suggestion which hopefully makes sense.

@phillmv
Copy link
Contributor

phillmv commented Mar 5, 2025

@AA-Turner aaaaaand now we've run into some CI configuration issues as we've not really been setup to accept external contributions 🤦‍♀️.

I'm afraid we will have to take it from here – but can't really work on it til next week at the earliest. I hereby pledge that we will respect your efforts but unfortunately you'll have to wait a bit longer before we see it merged.

@AA-Turner
Copy link
Author

No worries, thank you for your patience in review, and thank you for taking this forwards (internally).

If useful, I licence all contributions in this PR under 0BSD, CC0-1.0, or the pre-existing licences used in this repository, at your discretion.

A

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Single-subject attestations in actions/attest@v2
2 participants