From 4d57c79770dba9b03d24732cc8407789b3cc9047 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 24 Oct 2024 11:40:55 -0600 Subject: [PATCH 01/13] set provenance predicate type as default for predicate-type flag Signed-off-by: Meredith Lancaster --- .../attestation/verification/attestation.go | 2 + .../attestation/verification/mock_verifier.go | 2 - pkg/cmd/attestation/verification/sigstore.go | 2 +- pkg/cmd/attestation/verify/verify.go | 2 +- pkg/cmd/attestation/verify/verify_test.go | 59 ++++++++++++++----- 5 files changed, 48 insertions(+), 19 deletions(-) diff --git a/pkg/cmd/attestation/verification/attestation.go b/pkg/cmd/attestation/verification/attestation.go index 50542a6b3..5c126fc8e 100644 --- a/pkg/cmd/attestation/verification/attestation.go +++ b/pkg/cmd/attestation/verification/attestation.go @@ -15,6 +15,8 @@ import ( "github.com/sigstore/sigstore-go/pkg/bundle" ) +const SLSAPredicateType = "https://slsa.dev/provenance/v1" + var ErrUnrecognisedBundleExtension = errors.New("bundle file extension not supported, must be json or jsonl") var ErrEmptyBundleFile = errors.New("provided bundle file is empty") diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go index cb3a4c061..c5560743b 100644 --- a/pkg/cmd/attestation/verification/mock_verifier.go +++ b/pkg/cmd/attestation/verification/mock_verifier.go @@ -12,8 +12,6 @@ import ( "github.com/sigstore/sigstore-go/pkg/verify" ) -const SLSAPredicateType = "https://slsa.dev/provenance/v1" - type MockSigstoreVerifier struct { t *testing.T } diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index e237a3eb9..5b4f4a79b 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -113,7 +113,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE // issuer. We *must* use the trusted root provided. if issuer == PublicGoodIssuerOrg { if v.config.NoPublicGood { - return nil, "", fmt.Errorf("Detected public good instance but requested verification without public good instance") + return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") } verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) if err != nil { diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index d14081dd8..f41a31aab 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -179,7 +179,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command verifyCmd.Flags().StringVarP(&opts.Repo, "repo", "R", "", "Repository name in the format /") verifyCmd.MarkFlagsMutuallyExclusive("owner", "repo") verifyCmd.MarkFlagsOneRequired("owner", "repo") - verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", "", "Filter attestations by provided predicate type") + verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", verification.SLSAPredicateType, "Filter attestations by provided predicate type") verifyCmd.Flags().BoolVarP(&opts.NoPublicGood, "no-public-good", "", false, "Do not verify attestations signed with Sigstore public good instance") verifyCmd.Flags().StringVarP(&opts.TrustedRoot, "custom-trusted-root", "", "", "Path to a trusted_root.jsonl file; likely for offline verification") verifyCmd.Flags().IntVarP(&opts.Limit, "limit", "L", api.DefaultLimit, "Maximum number of attestations to fetch") diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 306ff8b35..2ad15ce7c 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -70,11 +70,12 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"), DigestAlgorithm: "sha384", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: true, }, @@ -85,12 +86,13 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"), DigestAlgorithm: "sha256", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: false, }, @@ -101,12 +103,13 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"), DigestAlgorithm: "sha256", + Hostname: "foo.ghe.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://foo.ghe.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "foo.ghe.com", }, wantsErr: false, }, @@ -117,12 +120,13 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"), DigestAlgorithm: "sha256", + Hostname: "foo.ghe.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "foo.ghe.com", }, wantsErr: true, }, @@ -133,12 +137,13 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"), DigestAlgorithm: "sha512", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: false, }, @@ -148,12 +153,13 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"), DigestAlgorithm: "sha256", + Hostname: "github.com", + Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - Limit: 30, + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: true, }, @@ -163,12 +169,13 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: artifactPath, DigestAlgorithm: "sha256", + Hostname: "github.com", + Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, Repo: "sigstore/sigstore-js", - Limit: 30, SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: true, }, @@ -178,12 +185,13 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: artifactPath, DigestAlgorithm: "sha256", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: false, }, @@ -193,12 +201,13 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: artifactPath, DigestAlgorithm: "sha256", + Hostname: "github.com", + Limit: 101, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - Limit: 101, + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: false, }, @@ -208,12 +217,13 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: artifactPath, DigestAlgorithm: "sha256", + Hostname: "github.com", + Limit: 0, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - Limit: 0, + PredicateType: verification.SLSAPredicateType, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: true, }, @@ -223,13 +233,14 @@ func TestNewVerifyCmd(t *testing.T) { wants: Options{ ArtifactPath: artifactPath, DigestAlgorithm: "sha256", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SAN: "https://github.com/sigstore/", SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsErr: true, }, @@ -240,9 +251,27 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: artifactPath, BundlePath: bundlePath, DigestAlgorithm: "sha256", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, + SANRegex: "(?i)^https://github.com/sigstore/", + SigstoreVerifier: verification.NewMockSigstoreVerifier(t), + }, + wantsExporter: true, + }, + { + name: "Use specified predicate type", + cli: fmt.Sprintf("%s --bundle %s --owner sigstore --predicate-type https://spdx.dev/Document/v2.3 --format json", artifactPath, bundlePath), + wants: Options{ + ArtifactPath: artifactPath, + BundlePath: bundlePath, + DigestAlgorithm: "sha256", + Limit: 30, + OIDCIssuer: verification.GitHubOIDCIssuer, + Owner: "sigstore", + PredicateType: "https://spdx.dev/Document/v2.3", SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), Hostname: "github.com", From e8013c077808af0e3c69bdcfd84a4ca43011312f Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 25 Oct 2024 14:04:54 -0600 Subject: [PATCH 02/13] update documentation to indclude predicate-type information Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index f41a31aab..014ffdbe0 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -55,7 +55,9 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command By default, the verify command will attempt to fetch attestations associated with the provided artifact from the GitHub API. If you would prefer to verify the artifact using attestations stored on disk (c.f. the %[1]sdownload%[1]s command), - provide a path to the %[1]s--bundle%[1]s flag. + provide a path to the %[1]s--bundle%[1]s flag. Additionally, the command + will only verify provenance attestations by default. To verify + other types of attestations, use the %[1]s--predicate-type%[1]s flag. To see the full results that are generated upon successful verification, i.e. for use with a policy engine, provide the %[1]s--format=json%[1]s flag. From fa6536493f9334e37a9474264ebc356c422fee1d Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 25 Oct 2024 14:54:52 -0600 Subject: [PATCH 03/13] predicate-type is no longer empty Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify.go | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 014ffdbe0..7107cd93b 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -246,16 +246,12 @@ func runVerify(opts *Options) error { } // Apply predicate type filter to returned attestations - if opts.PredicateType != "" { - filteredAttestations := verification.FilterAttestations(opts.PredicateType, attestations) - - if len(filteredAttestations) == 0 { - opts.Logger.Printf(opts.Logger.ColorScheme.Red("✗ No attestations found with predicate type: %s\n"), opts.PredicateType) - return err - } - - attestations = filteredAttestations + filteredAttestations := verification.FilterAttestations(opts.PredicateType, attestations) + if len(filteredAttestations) == 0 { + opts.Logger.Printf(opts.Logger.ColorScheme.Red("✗ No attestations found with predicate type: %s\n"), opts.PredicateType) + return err } + attestations = filteredAttestations policy, err := buildVerifyPolicy(opts, *artifact) if err != nil { @@ -263,6 +259,8 @@ func runVerify(opts *Options) error { return err } + opts.Logger.VerbosePrintf("Verifying attestations with the predicate type %s\n", opts.PredicateType) + sigstoreRes := opts.SigstoreVerifier.Verify(attestations, policy) if sigstoreRes.Error != nil { opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Verification failed")) From 28fa42a324deb4db869f83a3b0c2d0a1eaa266e9 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 25 Oct 2024 15:00:11 -0600 Subject: [PATCH 04/13] message formatting Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 7107cd93b..7be4a3a20 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -259,7 +259,7 @@ func runVerify(opts *Options) error { return err } - opts.Logger.VerbosePrintf("Verifying attestations with the predicate type %s\n", opts.PredicateType) + opts.Logger.VerbosePrintf("Verifying attestations with predicate type: %s\n", opts.PredicateType) sigstoreRes := opts.SigstoreVerifier.Verify(attestations, policy) if sigstoreRes.Error != nil { From cef335c698b03fba80aa8d3122e27ec51e722667 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 25 Oct 2024 15:26:32 -0600 Subject: [PATCH 05/13] update tests to include predicate type Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_test.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 2ad15ce7c..69acb91e1 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -302,17 +302,18 @@ func TestNewVerifyCmd(t *testing.T) { assert.Equal(t, tc.wants.ArtifactPath, opts.ArtifactPath) assert.Equal(t, tc.wants.BundlePath, opts.BundlePath) - assert.Equal(t, tc.wants.TrustedRoot, opts.TrustedRoot) assert.Equal(t, tc.wants.DenySelfHostedRunner, opts.DenySelfHostedRunner) assert.Equal(t, tc.wants.DigestAlgorithm, opts.DigestAlgorithm) + assert.Equal(t, tc.wants.Hostname, opts.Hostname) assert.Equal(t, tc.wants.Limit, opts.Limit) assert.Equal(t, tc.wants.NoPublicGood, opts.NoPublicGood) assert.Equal(t, tc.wants.OIDCIssuer, opts.OIDCIssuer) assert.Equal(t, tc.wants.Owner, opts.Owner) + assert.Equal(t, tc.wants.PredicateType, opts.PredicateType) assert.Equal(t, tc.wants.Repo, opts.Repo) assert.Equal(t, tc.wants.SAN, opts.SAN) assert.Equal(t, tc.wants.SANRegex, opts.SANRegex) - assert.Equal(t, tc.wants.Hostname, opts.Hostname) + assert.Equal(t, tc.wants.TrustedRoot, opts.TrustedRoot) assert.NotNil(t, opts.APIClient) assert.NotNil(t, opts.Logger) assert.NotNil(t, opts.OCIClient) @@ -362,11 +363,12 @@ func TestJSONOutput(t *testing.T) { OCIClient: oci.MockClient{}, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), exporter: cmdutil.NewJSONExporter(), } - require.Nil(t, runVerify(&opts)) + require.NoError(t, runVerify(&opts)) var target []*verification.AttestationProcessingResult err := json.Unmarshal(out.Bytes(), &target) @@ -385,12 +387,13 @@ func TestRunVerify(t *testing.T) { OCIClient: oci.MockClient{}, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), } t.Run("with valid artifact and bundle", func(t *testing.T) { - require.Nil(t, runVerify(&publicGoodOpts)) + require.NoError(t, runVerify(&publicGoodOpts)) }) t.Run("with failing OCI artifact fetch", func(t *testing.T) { From 9ddaf13ef534797f6280a44f0d9bad3d302b7390 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 25 Oct 2024 15:32:16 -0600 Subject: [PATCH 06/13] add predicate type to integration tests Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_integration_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 4b0f0adfb..3a9a8185f 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -40,6 +40,7 @@ func TestVerifyIntegration(t *testing.T) { OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", + PredicateType: verification.SLSAPredicateType, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -112,6 +113,7 @@ func TestVerifyIntegrationCustomIssuer(t *testing.T) { Logger: logger, OCIClient: oci.NewLiveClient(), OIDCIssuer: "https://token.actions.githubusercontent.com/hammer-time", + PredicateType: verification.SLSAPredicateType, SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -181,6 +183,7 @@ func TestVerifyIntegrationReusableWorkflow(t *testing.T) { Logger: logger, OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, + PredicateType: verification.SLSAPredicateType, SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -271,6 +274,7 @@ func TestVerifyIntegrationReusableWorkflowSignerWorkflow(t *testing.T) { OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "malancas", + PredicateType: verification.SLSAPredicateType, Repo: "malancas/attest-demo", SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } From f8f3502cac92b5104ed81b2c2c29ce10c5ad8837 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 28 Oct 2024 15:37:58 -0600 Subject: [PATCH 07/13] doc updates Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 7be4a3a20..fbe4591cc 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -52,12 +52,15 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command The %[1]s--owner%[1]s flag value must match the name of the GitHub organization that the artifact's linked repository belongs to. - By default, the verify command will attempt to fetch attestations associated - with the provided artifact from the GitHub API. If you would prefer to verify - the artifact using attestations stored on disk (c.f. the %[1]sdownload%[1]s command), - provide a path to the %[1]s--bundle%[1]s flag. Additionally, the command - will only verify provenance attestations by default. To verify - other types of attestations, use the %[1]s--predicate-type%[1]s flag. + By default, the verify command will: + - only verify provenance attestations + - attempt to fetch relevant attestations via the GitHub API. + + To verify other types of attestations, use the predicate-type flag. + + To use your artifact's OCI registry instead of GitHub's API, use the + --bundle-from-oci flag. For offline verification, using attestations + stored on desk (c.f. the download command), provide a path to the --bundle flag. To see the full results that are generated upon successful verification, i.e. for use with a policy engine, provide the %[1]s--format=json%[1]s flag. From 7598c4a58f70b25d3e8583cc6b3a28f696ab8bb5 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 28 Oct 2024 15:38:06 -0600 Subject: [PATCH 08/13] organize Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 69acb91e1..f2627120d 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -268,13 +268,13 @@ func TestNewVerifyCmd(t *testing.T) { ArtifactPath: artifactPath, BundlePath: bundlePath, DigestAlgorithm: "sha256", + Hostname: "github.com", Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: "https://spdx.dev/Document/v2.3", SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - Hostname: "github.com", }, wantsExporter: true, }, From efa6fafc4780a7f6886f29a523f066968619d903 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 29 Oct 2024 07:06:23 -0600 Subject: [PATCH 09/13] Update pkg/cmd/attestation/verification/attestation.go Co-authored-by: Phill MV --- pkg/cmd/attestation/verification/attestation.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verification/attestation.go b/pkg/cmd/attestation/verification/attestation.go index 5c126fc8e..0ea91c2f7 100644 --- a/pkg/cmd/attestation/verification/attestation.go +++ b/pkg/cmd/attestation/verification/attestation.go @@ -15,7 +15,7 @@ import ( "github.com/sigstore/sigstore-go/pkg/bundle" ) -const SLSAPredicateType = "https://slsa.dev/provenance/v1" +const SLSAPredicateV1 = "https://slsa.dev/provenance/v1" var ErrUnrecognisedBundleExtension = errors.New("bundle file extension not supported, must be json or jsonl") var ErrEmptyBundleFile = errors.New("provided bundle file is empty") From 7bfddec046372e7732a8078130a194aee9fc3571 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 29 Oct 2024 07:09:45 -0600 Subject: [PATCH 10/13] fix references Signed-off-by: Meredith Lancaster --- .../attestation/verification/mock_verifier.go | 2 +- pkg/cmd/attestation/verify/verify.go | 2 +- pkg/cmd/attestation/verify/verify_test.go | 28 +++++++++---------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go index c5560743b..e22142ed5 100644 --- a/pkg/cmd/attestation/verification/mock_verifier.go +++ b/pkg/cmd/attestation/verification/mock_verifier.go @@ -18,7 +18,7 @@ type MockSigstoreVerifier struct { func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults { statement := &in_toto.Statement{} - statement.PredicateType = SLSAPredicateType + statement.PredicateType = SLSAPredicateV1 result := AttestationProcessingResult{ Attestation: &api.Attestation{ diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index fbe4591cc..bf0f6191d 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -184,7 +184,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command verifyCmd.Flags().StringVarP(&opts.Repo, "repo", "R", "", "Repository name in the format /") verifyCmd.MarkFlagsMutuallyExclusive("owner", "repo") verifyCmd.MarkFlagsOneRequired("owner", "repo") - verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", verification.SLSAPredicateType, "Filter attestations by provided predicate type") + verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", verification.SLSAPredicateV1, "Filter attestations by provided predicate type") verifyCmd.Flags().BoolVarP(&opts.NoPublicGood, "no-public-good", "", false, "Do not verify attestations signed with Sigstore public good instance") verifyCmd.Flags().StringVarP(&opts.TrustedRoot, "custom-trusted-root", "", "", "Path to a trusted_root.jsonl file; likely for offline verification") verifyCmd.Flags().IntVarP(&opts.Limit, "limit", "L", api.DefaultLimit, "Maximum number of attestations to fetch") diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index f2627120d..1a787ccf4 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -74,7 +74,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: true, @@ -90,7 +90,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -107,7 +107,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://foo.ghe.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -124,7 +124,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -141,7 +141,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -157,7 +157,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -173,7 +173,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, Repo: "sigstore/sigstore-js", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -189,7 +189,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -205,7 +205,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 101, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -221,7 +221,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 0, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -237,7 +237,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SAN: "https://github.com/sigstore/", SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), @@ -255,7 +255,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, @@ -363,7 +363,7 @@ func TestJSONOutput(t *testing.T) { OCIClient: oci.MockClient{}, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), exporter: cmdutil.NewJSONExporter(), @@ -387,7 +387,7 @@ func TestRunVerify(t *testing.T) { OCIClient: oci.MockClient{}, OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), } From 15d7e33ddb82204ab1d7a9828c442a3cdbd996a6 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 29 Oct 2024 07:11:51 -0600 Subject: [PATCH 11/13] update references Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_integration_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 3a9a8185f..e7a3ca3fa 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -40,7 +40,7 @@ func TestVerifyIntegration(t *testing.T) { OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SANRegex: "^https://github.com/sigstore/", SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -113,7 +113,7 @@ func TestVerifyIntegrationCustomIssuer(t *testing.T) { Logger: logger, OCIClient: oci.NewLiveClient(), OIDCIssuer: "https://token.actions.githubusercontent.com/hammer-time", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -183,7 +183,7 @@ func TestVerifyIntegrationReusableWorkflow(t *testing.T) { Logger: logger, OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } @@ -274,7 +274,7 @@ func TestVerifyIntegrationReusableWorkflowSignerWorkflow(t *testing.T) { OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "malancas", - PredicateType: verification.SLSAPredicateType, + PredicateType: verification.SLSAPredicateV1, Repo: "malancas/attest-demo", SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } From 271450883ea14432162bf89cb28c3875159ac296 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 29 Oct 2024 11:53:28 -0600 Subject: [PATCH 12/13] Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Phill MV --- pkg/cmd/attestation/verify/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index bf0f6191d..b649f2083 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -56,7 +56,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command - only verify provenance attestations - attempt to fetch relevant attestations via the GitHub API. - To verify other types of attestations, use the predicate-type flag. + To verify other types of attestations, use the %[1]s--predicate-type%[1]s flag. To use your artifact's OCI registry instead of GitHub's API, use the --bundle-from-oci flag. For offline verification, using attestations From 384057c2e2c972652692bddd424dc5e3e8614a16 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 29 Oct 2024 11:54:42 -0600 Subject: [PATCH 13/13] bold all flags in docs Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index b649f2083..206001f9b 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -59,8 +59,8 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command To verify other types of attestations, use the %[1]s--predicate-type%[1]s flag. To use your artifact's OCI registry instead of GitHub's API, use the - --bundle-from-oci flag. For offline verification, using attestations - stored on desk (c.f. the download command), provide a path to the --bundle flag. + %[1]s--bundle-from-oci%[1]s flag. For offline verification, using attestations + stored on desk (c.f. the download command), provide a path to the %[1]s--bundle%[1]s flag. To see the full results that are generated upon successful verification, i.e. for use with a policy engine, provide the %[1]s--format=json%[1]s flag.