From dc4e9cb5323ebbad58030a4c3bdb3930e6c54547 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 12:11:25 -0700 Subject: [PATCH] handle attest case insensitivity --- .../attestation/verification/extensions.go | 27 +++++++++++++++++++ pkg/cmd/attestation/verify/policy.go | 17 ++++-------- pkg/cmd/attestation/verify/verify.go | 6 +++++ 3 files changed, 38 insertions(+), 12 deletions(-) create mode 100644 pkg/cmd/attestation/verification/extensions.go diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go new file mode 100644 index 000000000..ffbefb9d3 --- /dev/null +++ b/pkg/cmd/attestation/verification/extensions.go @@ -0,0 +1,27 @@ +package verification + +import ( + "fmt" + "strings" +) + +func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error { + for _, attestation := range results { + if owner != "" { + expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) + sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI + if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) + } + } + + if repo != "" { + expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) + sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI + if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { + return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI) + } + } + } + return nil +} diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 959bd08a9..938e8048f 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -21,7 +21,7 @@ const ( ) func expandToGitHubURL(ownerOrRepo string) string { - return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo) + return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo) } func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) { @@ -42,17 +42,10 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error return verify.SubjectAlternativeNameMatcher{}, nil } -func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions { - extensions := certificate.Extensions{ - SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner), - RunnerEnvironment: runnerEnv, +func buildCertExtensions(runnerEnv string) certificate.Extensions { + return certificate.Extensions{ + RunnerEnvironment: runnerEnv, } - - // if opts.Repo is set, set the SourceRepositoryURI field before returning the extensions - if opts.Repo != "" { - extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo) - } - return extensions } func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) { @@ -66,7 +59,7 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol return nil, err } - extensions := buildCertExtensions(opts, runnerEnv) + extensions := buildCertExtensions(runnerEnv) certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) if err != nil { diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 16b9477e8..e1a5b1c50 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -235,6 +235,12 @@ func runVerify(opts *Options) error { return sigstoreRes.Error } + // Verify extensions + if err := verification.VerifyCertExtensions(sigstoreRes.VerifyResults, opts.Owner, opts.Repo); err != nil { + opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Verification failed")) + return err + } + opts.Logger.Println(opts.Logger.ColorScheme.Green("✓ Verification succeeded!\n")) // If an exporter is provided with the --json flag, write the results to the terminal in JSON format