-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update rekor intoto/0.0.2 entry hash calculation #151
Conversation
Signed-off-by: Brian DeHamer <[email protected]>
/cc @codysoyland |
// * payload is base64 encoded | ||
// * signature is base64 encoded (only the first signature is used) | ||
// * keyid is included ONLY if it is NOT an empty string | ||
// * The resulting JSON is canonicalized and hashed to a hex string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth writing some kind of tests around this behaviour to make sure we don't deviate from it in future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have some tests in src/tlog/verify.test.ts that create different kinds of envelopes with and without a keyid? Maybe with multiple sigs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@feelepxyz I added some more tests around the DSSE hash calculation to ensure that we don't unintentionally alter it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gnarly.. nice work figuring this out! Just had one comment around tests, otherwise LGTM 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
Signed-off-by: Brian DeHamer <[email protected]>
78aa898
to
32ffd2d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the tests!
Signed-off-by: Brian DeHamer [email protected]
Summary
Updates the logic to properly calculate the digest of a DSSE envelope when creating an intoto/0.0.2 style entry in Rekor.