-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds support for new Rekor 'dsse' entry type #527
Conversation
Signed-off-by: Bob Callaway <[email protected]>
🦋 Changeset detectedLatest commit: 83a38ea The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Signed-off-by: Bob Callaway <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bobcallaway I'd like to do try generating/verifying some bundles with the new DSSE Rekor type -- has the build with the DSSE type been deployed to production yet?
Before I merge this, I'm going to add some unit tests around the new verification code as well.
// Collect all of the signatures from the tlog entry | ||
// Remember that tlog signatures are double base64-encoded | ||
const tlogSigs = tlogEntry.spec.signatures?.map((signature) => | ||
signature.signature ? enc.base64Decode(signature.signature) : '' | ||
); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this comment about the double base64 encoding still true for the DSSE type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did a test in staging and I don't think we need to decode the signature at all here. The sig value from the DSSE envelope above is b64 encoded which should then match the value we pull from the tlog entry here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you have docs somewhere on how to target staging with the client? I had to make several code changes when I was doing that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a new CLI in the "packages/cli" directory which supports a flag for overriding the rekor URL. From the root of the project you can do:
./packages/cli/bin/dev attest --help
That should show you the various flags
Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Brian DeHamer <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a unit test for verifying the dsse
TLog type. Thanks again @bobcallaway for tackling this.
Summary
This add support for uploading Rekor entries about DSSE envelope-based attestations using the new
dsse
type added in sigstore/rekor#1487.This PR builds on #525 (given the codegen changes can not be cleanly separated).
Release Note
dsse
pluggable typepart of #526