Skip to content

Adding protobuf bundle support to sign-blob and attest-blob #3752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 23, 2024
Merged

Adding protobuf bundle support to sign-blob and attest-blob #3752

merged 14 commits into from
Jul 23, 2024

Conversation

steiza
Copy link
Member

@steiza steiza commented Jun 28, 2024
edited
Loading

Summary

This pull requests addresses the first part of #3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob.

You can test this by generating the new bundles, for example signing a local file with a cosign provisioned key (requesting a signed timestamp to corroborate):

go run cmd/cosign/main.go sign-blob --bundle="test-bundle.sigstore.json" --new-bundle-format=true --key="cosign.key" --tlog-upload=false --timestamp-server-url="https://timestamp.githubapp.com/api/v1/timestamp" ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

Or using Fulcio to get a signing certificate for an attestation:

go run cmd/cosign/main.go attest-blob --bundle="pgi-bundle.sigstore.json" --new-bundle-format=true --fulcio-url='https://fulcio.sigstore.dev' --rekor-url='https://rekor.sigstore.dev' --identity-token='...' --type=something --predicate="../sigstore-go/examples/sigstore-go-signing/intoto.txt" ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

You can then verify the public good instance bundle using sigstore-go doing something like:

go run cmd/sigstore-go/main.go -artifact examples/sigstore-go-signing/hello_world.txt -trustedrootJSONpath public-good-trusted-root.json -expectedIssuer "https://token.actions.githubusercontent.com" -expectedSANRegex ".+" ../cosign/pgi-bundle.sigstore.json

Release Note

NONE - we probably want to finish #3139 (especially the more comprehensive conformance testing!) before we announce this as released.

Documentation

N/A - same as above

@codecov Codecov
Copy link

codecov bot commented Jul 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 34.44976% with 137 lines in your changes missing coverage. Please review.

Project coverage is 37.67%. Comparing base (2ef6022) to head (5892fed).
Report is 166 commits behind head on main.

Files Patch % Lines
cmd/cosign/cli/attest/attest_blob.go 5.68% 82 Missing and 1 partial ⚠️
cmd/cosign/cli/sign/sign_blob.go 46.75% 34 Missing and 7 partials ⚠️
cmd/cosign/cli/options/attest_blob.go 0.00% 4 Missing ⚠️
cmd/cosign/cli/options/signblob.go 0.00% 4 Missing ⚠️
pkg/cosign/bundle/protobundle.go 91.17% 2 Missing and 1 partial ⚠️
cmd/cosign/cli/attest_blob.go 0.00% 1 Missing ⚠️
cmd/cosign/cli/signblob.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3752      +/-   ##
==========================================
- Coverage   40.10%   37.67%   -2.44%     
==========================================
  Files         155      201      +46     
  Lines       10044    12436    +2392     
==========================================
+ Hits         4028     4685     +657     
- Misses       5530     7175    +1645     
- Partials      486      576      +90

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cmurphy
cmurphy reviewed Jul 2, 2024
View reviewed changes
@steiza steiza force-pushed the sign-blob-bundle branch from a169d49 to fb90891 Compare July 3, 2024 17:55
@steiza steiza mentioned this pull request Jul 8, 2024
Closed
8 tasks
haydentherapper
haydentherapper reviewed Jul 11, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic!! Just a few tiny comments, also needs a rebase.

@steiza steiza force-pushed the sign-blob-bundle branch from 1629e5c to 94fd652 Compare July 16, 2024 14:53
haydentherapper
haydentherapper previously approved these changes Jul 23, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this!

@haydentherapper
Copy link
Contributor

@steiza can you rebase? Just to check, anything else here or any other testing, or is this good to merge?

steiza added 14 commits July 23, 2024 08:47
@steiza
Adding protobuf bundle support to sign-blob and attest-blob
c1ed1d9 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Don't require RFC3161 timestamp path if you are using protobuf bundle
58a87dd 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Fix e2e test and add test coverage
31a5e50 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Add basic tests for SignBlobCmd
bfe8d37 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Add more SignBlobCmd test coverage
59aaca9 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Check result of call in test
3783ce3 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Fix Windows tests
d932ceb 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Change flag to new-bundle-format, move bundle creation to function
38c0420 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Fix lint; docs
689ad7f 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
gofmt -s fixes
c9f6084 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Update hint generation
4c5e8c9 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Add protobundle test case for Rekor
96d662e 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Remove import comment
c792600 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Fix signature for attest-blob
5892fed 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza force-pushed the sign-blob-bundle branch from f78e262 to 5892fed Compare July 23, 2024 12:55
@steiza
Copy link
Member Author

steiza commented Jul 23, 2024

Just to check, anything else here or any other testing, or is this good to merge?

I think this is good to merge!

@haydentherapper haydentherapper merged commit c6cdf1b into sigstore:main Jul 23, 2024
@steiza steiza mentioned this pull request Jul 23, 2024
Merged
steiza added a commit to steiza/cosign that referenced this pull request Sep 11, 2024
@steiza
Fix bug in sigstore#3752
b88c748 
When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza mentioned this pull request Sep 11, 2024
Merged
haydentherapper pushed a commit that referenced this pull request Sep 18, 2024
@steiza
Fix bug in attest-blob when using a timestamp authority with new bund…
4393313 
…les (#3877)

* Fix bug in #3752

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>

* Only change timestamp authority signature behavior for new bundles

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>

* Add happy path e2e test

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
dmitris pushed a commit to dmitris/cosign that referenced this pull request Oct 17, 2024
@steiza @dmitris
Fix bug in attest-blob when using a timestamp authority with new bund…
7a6f214 
…les (sigstore#3877)

* Fix bug in sigstore#3752

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>

* Only change timestamp authority signature behavior for new bundles

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>

* Add happy path e2e test

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
kipz pushed a commit to kipz/cosign that referenced this pull request Oct 21, 2024
@steiza
Adding protobuf bundle support to sign-blob and attest-blob (sigstore…
89b6a71 
…#3752)

This pull requests addresses the first part of sigstore#3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob.

Signed-off-by: Zach Steindler <steiza@github.com>
kipz pushed a commit to kipz/cosign that referenced this pull request Oct 21, 2024
@steiza
Fix bug in attest-blob when using a timestamp authority with new bund…
dbf8e91 
…les (sigstore#3877)

* Fix bug in sigstore#3752

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>

* Only change timestamp authority signature behavior for new bundles

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>

* Add happy path e2e test

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmurphy cmurphy cmurphy left review comments

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@steiza @haydentherapper @cmurphy