-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow uploading detached signatures over in-toto statements with --type=intoto
#865
Comments
@lumjjb @SantiagoTorres For your opinions: |
Hmm, I think there are a couple of separate problems in there. You can still use x509 sigs/keyids on DSSE as far as I'm aware. Either way, if we wanted to separate the envelope from the type on in-toto we could do that, but that will become a problem later when we actually want to index things no? |
This is important but not sure it should block GA. |
Will #973 fix this one? |
@rbehjati took a review on this PR:
That PR's implementation of artifact creation via CLI flags assumes that artifact is a JSON envelope. If would be a little complicated logic to modify, but could be done. @pxp928 You would need to do the following in
@rbehjati how would you communicate the |
We use Do you recommend using the upload functionality programatically instead of using the CLI? |
Currently when uploading artefacts to Rekor using
rekor-cli upload --type intoto
only in-toto attestations in the form of DSSE Envelopes can be uploaded. (This is based on my current understanding. I was not able to upload anything else, but also I am not an expert in in-toto).It would be nice to be able to upload in-toto statements with detached signatures. For instance, currently one could upload an in-toto statement (for instance a SLSA provenance file), with a detached signature with the following command:
rekor-cli upload --type rekord --artifact provenance.json --signature provenance.sig --pki-format=x509 --public-key=pub.pem
However, since the type in this case is not
intoto
the subject and the materials in the provenance files are not indexed.Alternatively, is it possible to implement indexing similar to #792 for artefacts that, as in the example above, are in-toto statements, but are not DSSE Envelopes with an attached signature (and therefore are not uploaded with
--type intoto
)?The text was updated successfully, but these errors were encountered: