-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation for file signing verification. #68
Conversation
Welcome @matglas! |
Hi @matglas. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
For testing signed a dummy file myself. # Random input file.
echo $RANDOM > test-blob.txt
# test-blob.sig is the resulting signature.
# test-blob.cert is the temporary cert that signed.
# test-blob.out is the output for future reference during debugging.
COSIGN_EXPERIMENTAL=1 cosign --timeout 90s sign-blob \
--output-signature test-blob.txt.sig \
test-blob.txt > test-blob.out To verify use the COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--signature test-blob.txt.sig \
test-blob.txt Get result from Rekor rekor-cli search --artifact=test-blob.txt --format=json Use the uuid from the search to get the results. rekor-cli get --uuid=<uuid> You can validate the content of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for working on this one! I left a few review comments 👇
/ok-to-test |
I need to review the test cases and come back. I know that some will not work anymore. Also I'm thinking about changing the Probably something along the lines of:
|
Had to rebase and force push because my commits where not signed yet. |
@matglas please rebase again :) |
No problem. Planning to continue working on it on Monday. |
Some decisions from a thread I had with @saschagrunert
Example from @saschagrunert from the Slack thread. type SignedObject struct {
*Image
*File
}
type Image struct {
reference string
digest string
signature string
}
type File struct {
signaturePath string
certificatePath string
} |
I am not satisfied with the wording in error messages if there are suggestions I am open for that. Problem is they feel not consice with the other messages and sometimes done convey what the error could be about. |
Looked into signImage and mirrored the identityToken part. Adjusted error messaging to more in line with the other messaging. Adjusted tests to be testing with private key input.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, I just have a bunch of comments 👇
@matglas is this still WIP? |
No not anymore. Its going into active testing now and getting feedback on the design. I will remove wip. |
I have to create a test to validate identity token to work for keyless signing with this implementation. Is that possible with the way that the integration job runs? Can we get an identity token in that env? |
Hm, I know GitHub actions supports keyless signing, maybe we have to switch to that for the integration tests. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: matglas, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implementing the
VerifyFile
mechanism to be used bySignFile
to validate if the signing of a file was successful andto verify signed files in the future independently.
Which issue(s) this PR fixes:
Fixes #30
Things done:
VerifyFileInternal
as it need more options to beusable.
FindTLogEntriesByPayload
from cosign to be able to mock it.Removed some options as they are not needed. Up for discussion if its
wise to do.
VerifyFileInternal
.VerifyFile
using the impl.payloadBytes
.IsFileSigned
to start the verification with. Checking theexistence of uuids for the specific file blob.
Special notes for your reviewer:
FindTLogEntriesByPayload
is now a partial wrapper around same method in cosign. I stripped some arguments as we don't need it. But it might be valuable to keep them to not adjust the interface more later. Like to hear others thoughts on this.We created a wrapper to allow us to easily test finding results from Rekor.
OutputCertificatePath
and theOutputSignaturePath
. Do we know if those are being created and stored when the signing happens. And where are those stored after the signing ceremony. Because now it seems we can only verify during our Signing.After a conversation with @saschagrunert we decided that the paths would be auto set to
<file path>.sig
and<file path>.cert
. But the user that implements the signing can choose to adjust the output paths.Special note: If one relies on SignedObject there is a breaking change. It is refactored to hold Image and File object depending on the type of signing that happens.
@kubernetes/release-managers
TODO: