Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if intoto hash is available before accessing it as an index key #800

Merged
merged 1 commit into from
Apr 30, 2022
Merged

Check if intoto hash is available before accessing it as an index key #800

merged 1 commit into from
Apr 30, 2022

Conversation

priyawadhwa
Copy link
Contributor

From what I understand, we use these keys to help enable lookup in Redis. Some attestations don't have a hash associated with them, and so this errors out.

You can see this bug when trying to upload a custom predicate (not type slsaprovenance) with cosign to production (older version of Rekor) vs HEAD:

Production works:

cosign attest  --predicate predicate  ttl.sh/priya/busybox   
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=3Dz_am0xYk62oKDMhfNV2oqDxsB9HfFFelLP_YLeR1w&code_challenge_method=S256&nonce=28UPOzf1vYJwNIufLnvfb4lrCMv&redirect_uri=http%3A%2F%2Flocalhost%3A63151%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=28UPOu8yR4CZ4udOKv1msOfOWuu
Successfully verified SCT...
Using payload from: predicate
tlog entry created with index: 2193004

but HEAD doesn't:

cosign attest  --predicate predicate --rekor-url http://localhost:3000  ttl.sh/priya/busybox
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=iXgmMTHsZOlnQsrV8_JghIY50qdQPImTKt1nejRk7To&code_challenge_method=S256&nonce=28UPcXVob3Qaoa83VL1ynX28KCA&redirect_uri=http%3A%2F%2Flocalhost%3A63190%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=28UPcXfAhqAfJk744QEGYZOfWtR
Successfully verified SCT...
Using payload from: predicate
Error: signing ttl.sh/priya/busybox: Post "http://localhost:3000/api/v1/log/entries": EOF
main.go:52: error during command execution: signing ttl.sh/priya/busybox: Post "http://localhost:3000/api/v1/log/entries": EOF

and the server crashes with this nil pointer exception:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1a192e9]

goroutine 98 [running]:
github.com/sigstore/rekor/pkg/types/intoto/v0%2e0%2e1.V001Entry.IndexKeys({{0xc0001bff40, 0xc000cc2678}, {0x1e78908, 0xc000cce690}, {{0xc0003cf1e0, 0x1c}, {0xc000cf6800, 0x35d4}, {0xc000b69100, 0x1, ...}}})
        /Users/priyawadhwa/rekor/pkg/types/intoto/v0.0.1/entry.go:87 +0x229
github.com/sigstore/rekor/pkg/api.createLogEntry.func1()
        /Users/priyawadhwa/rekor/pkg/api/entries.go:211 +0x55
created by github.com/sigstore/rekor/pkg/api.createLogEntry
        /Users/priyawadhwa/rekor/pkg/api/entries.go:210 +0x1074
exit status 2

Signed-off-by: Priya Wadhwa priya@chainguard.dev

cc @strongjz @asraa

@priyawadhwa
Don't try to index on hash for intoto obj if one isn't available
5f996e2 
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
@dlorenc dlorenc merged commit 6876090 into sigstore:main Apr 30, 2022
@github-actions github-actions bot added this to the v1.0.0 milestone Apr 30, 2022
@asraa asraa mentioned this pull request Jun 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@priyawadhwa @dlorenc