Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for verifying dsse-intoto #855

Merged
merged 1 commit into from
Dec 26, 2024
Merged

Add support for verifying dsse-intoto #855

merged 1 commit into from
Dec 26, 2024

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Nov 21, 2024
edited
Loading

  • Verification should be able to correctly validate a bundle as cryptographically valid (VerificationOptions.empty())
  • Verifiers may also include signer identity during verification
  • Verifiers should extract the embedded attestation to do further analysis on the attestation. Sigstore-java does not process those in any way
  • There is no signing options for DSSE bundles

needs #873 #872

@loosebazooka loosebazooka force-pushed the dsse_support branch 5 times, most recently from 7a7e1b6 to 85dd2f1 Compare December 13, 2024 18:53
@loosebazooka
Copy link
Member Author

I'm gonna split this up, make it a little easier to review.

@loosebazooka loosebazooka marked this pull request as draft December 18, 2024 18:08
This was referenced Dec 18, 2024
Merged
Merged
@loosebazooka loosebazooka force-pushed the dsse_support branch 3 times, most recently from 299a6b0 to d6b598c Compare December 18, 2024 20:30
@loosebazooka
Add support for verifying dsse-intoto
0ff3ffb 
- Verification should be able to correctly validate a bundle as
  cryptographically valid (VerificationOptions.empty())
- Verifiers may also include signer identity during verification
- Verifiers should extract the embedded attestation to do further
  analysis on the attestation. Sigstore-java does not process
  those in any way
- There is no signing options for DSSE bundles

Signed-off-by: Appu Goundan <[email protected]>
@loosebazooka loosebazooka marked this pull request as ready for review December 20, 2024 20:15
patflynn
patflynn reviewed Dec 21, 2024
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
var digestBytes = Hex.decode(subject.getDigest().get("sha256"));
return Arrays.equals(artifactDigest, digestBytes);
} catch (DecoderException de) {
// ignore (assume false)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log.warn?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super sure, if it fails then we'll see a keyless verification exception and users can debug at that point? I guess I can add one in a followup.

@loosebazooka loosebazooka merged commit b290ca4 into main Dec 26, 2024
25 checks passed
@loosebazooka loosebazooka deleted the dsse_support branch December 26, 2024 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patflynn patflynn patflynn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@loosebazooka @patflynn