STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8037 commits 87 branches 0 tags 160 MiB
Commit graph

54 commits

Author SHA1 Message Date
Brian DeHamer
2e13ec5d80
Merge pull request #9616 from cli/bdehamer/custom-issuer-error 
Better messaging for `attestation verify` custom issuer mismatch error
 2024-09-16 12:52:12 -07:00
Brian DeHamer
8c8423aa3d
better error for att verify custom issuer mismatch 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
 2024-09-16 12:38:12 -07:00
Meredith Lancaster
e381d54511
Merge pull request #9564 from malancas/verification-err-output 
Update `gh attestation verify` bundle parsing and validation errors
 2024-09-13 09:27:07 -06:00
Fredrik Skogman
1b59ec8ad0
This commit introduces tenancy aware attestation policy building. 
This is done by inspecting the current hostname to determine if
tenancy is enabled.

The attestation commands also accepts a --hostname parameter, that
is used to pick the current host, similar to how the GH_HOST variable
can be used.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
 2024-09-11 10:49:17 +02:00
Meredith Lancaster
50d335566d check specific err 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-10 10:47:06 -06:00
Meredith Lancaster
3814e82f9b check err in GetLocalAttestations 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-10 10:32:46 -06:00
Meredith Lancaster
f748f9e65f Merge remote-tracking branch 'upstream/trunk' into verification-err-output 2024-09-10 09:04:57 -06:00
Meredith Lancaster
83519e4e92 check for sigstore-go validation errs 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-10 07:54:45 -06:00
Meredith Lancaster
bbefc5b24f handle os.PathError in GetLocalAttestations 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-09 08:53:11 -06:00
Meredith Lancaster
945e2b7eee
Merge branch 'trunk' into verification-err-output 2024-09-09 08:23:01 -06:00
Cody Soyland
500b619a5e
Move non-integration test to different test file 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-09-06 13:55:25 -04:00
Meredith Lancaster
668706ccf5 print verify err 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-05 13:29:22 -06:00
Meredith Lancaster
57b20291bd check for os.PathError 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-05 13:20:13 -06:00
Meredith Lancaster
7c405e8b6e dont print err content 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-05 08:16:34 -06:00
Cody Soyland
ea1a3da1eb
Rename ProtobufBundle to Bundle 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-09-04 16:45:02 -04:00
Cody Soyland
8446079656
Upgrade to sigstore-go v0.6.1 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-09-04 16:38:13 -04:00
Meredith Lancaster
1b67b354a9 update bundle file parsing err messages 
Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-04 13:30:30 -06:00
Meredith Lancaster
34d7ef7a0e
gh attestation verify handles empty JSONL files (#9541) 
* handle empty jsonl files

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check processed attestations slice length

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update err name and message

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-09-04 10:31:41 -06:00
Aryan Bhosale
9a0a7d427e
verify 2nd artifact without swapping order (#9532) 
* verify 2nd artifact without swapping order

possible solution to https://github.com/cli/cli/issues/9521#issuecomment-2310686619?

* copy the mentioned test file and adds some extra lines

* rm unnecessary import

* Update pkg/cmd/attestation/verification/attestation_test.go

Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>

* gofmt

---------

Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>
 2024-09-04 08:57:56 -06:00
Aryan Bhosale
8305a49c3f
"offline" verification using the bundle of attestations without any additional handling of the file (#9523) 2024-08-26 09:58:29 -06:00
Eugene
e21d053faf
Merge branch 'trunk' into eugene/attestation/fetch-oci-bundle 2024-08-21 12:24:08 -04:00
ejahnGithub
47a8f4bbdd update error message 2024-08-20 16:14:39 -04:00
Eugene
04e111db03
Merge branch 'trunk' into eugene/attestation/fetch-oci-bundle 2024-08-15 13:31:41 -04:00
Cody Soyland
4618a267de
Update attestation TUF root 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-08-15 13:06:54 -04:00
ejahnGithub
5ae03d6e87 addded more test 2024-08-12 07:10:19 -07:00
Cody Soyland
35b2cf70cf
Change to requiring bundle v0.2 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-08-09 16:36:16 -04:00
Cody Soyland
574e131072
Require Sigstore Bundle v0.3 when verifying with gh attestation 
Signed-off-by: Cody Soyland <codysoyland@github.com>
 2024-08-09 16:02:04 -04:00
ejahnGithub
57aea664e5 added test 2024-08-07 10:10:59 -07:00
ejahnGithub
8d17896080 refactor the logic and logging 2024-08-05 12:25:52 -07:00
ejahnGithub
1eaf712dd1 update test and remove logic to check SourceRepositoryOwnerURI is empty string 2024-07-31 07:29:43 -07:00
ejahnGithub
596ee8bd71 update test 2024-07-30 13:22:49 -07:00
ejahnGithub
580ddf6997 minor fix 2024-07-30 13:14:16 -07:00
ejahnGithub
e21e5ef5c5 update test 2024-07-30 13:09:28 -07:00
ejahnGithub
c1adb1a6cf added 2024-07-30 12:24:27 -07:00
ejahnGithub
dc4e9cb532 handle attest case insensitivity 2024-07-30 12:11:25 -07:00
Zach Steindler
658f125ab3
Update sigstore-go in gh CLI to v0.5.1 (#9366) 
Signed-off-by: Zach Steindler <steiza@github.com>
 2024-07-25 20:59:39 +02:00
Zach Steindler
f972050dc9
gh attestation trusted-root subcommand (#9206) 
Adds `trusted-root` subcommand to `gh attestation`.

For use in upcoming docs on how to do offline verification with artifact
attestations.

---------

Signed-off-by: Zach Steindler <steiza@github.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
 2024-07-01 11:50:39 -04:00
Forrin
c572383bda
Attestation Verification - Buffer Fix (#9198) 
* swap scanner to readline for attestations
* replace readLine with readBytes
 2024-06-14 13:55:58 -04:00
Viktor Szépe
6d9dd57774 Fix typos 2024-05-09 20:15:27 +00:00
Meredith Lancaster
6f350827d2
Run attestation command set integration tests separately (#9035) 
* rename and add integration build tag

Signed-off-by: Meredith Lancaster <malancas@github.com>

* run tests that include integration build tag in workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
 2024-05-02 08:07:44 -06:00
William Martin
6d8709bdd7
Merge pull request #8997 from steiza/steiza/attestation-verify-offline 
Support offline mode for `gh attestation verify`
 2024-04-29 12:22:08 +02:00
William Martin
cf2060ce9a Remove unnecessary defensive check 2024-04-26 17:20:26 +02:00
William Martin
439c95c55e Test verification failures when attestations are bad 2024-04-26 17:20:04 +02:00
William Martin
a0c06e170e Rework sigstore tests for easier maintenance 2024-04-26 16:56:13 +02:00
William Martin
054b306d09 Make error more obvious when bundle has wrong extension 2024-04-26 16:23:56 +02:00
Zach Steindler
1aefeec71b Use cmdutil.ExactArgs instead of MinimumArgs; also add tests 
Signed-off-by: Zach Steindler <steiza@github.com>
 2024-04-25 15:41:49 -04:00
Meredith Lancaster
63640b16a7
Update gh attestation verify output (#8991) 
* start updating default verify cmd output

Signed-off-by: Meredith Lancaster <malancas@github.com>

* start adding support for printing a table of attestation details

Signed-off-by: Meredith Lancaster <malancas@github.com>

* extract attestation details from verification result

Signed-off-by: Meredith Lancaster <malancas@github.com>

* condense logging

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update logging from feedback

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update error logging

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup more error logging

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include test data for printing to table in the mock sigstore verifier response

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix linter err

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Update pkg/cmd/attestation/verification/mock_verifier.go

Co-authored-by: Phill MV <phillmv@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
 2024-04-24 14:03:35 -06:00
Zach Steindler
caf0546a11 Just base verification policy on trusted root, not bundle 
Signed-off-by: Zach Steindler <steiza@github.com>
 2024-04-24 11:02:53 -04:00
Zach Steindler
d9f7b922d0 Support offline mode for gh attestation verify 
The main change is previously we always instantiated a TUF client for
the public good and GitHub Sigstore instances. Now we only instantiate
the TUF client we need, or no client if we are provided a
custom trusted root.

Note that `gh attestation verify` still requires authentication, that is
being addressed in https://github.com/cli/cli/pull/8995.

Some other changes are coming along for the ride:
- Set TUF cache validity to 1 day, to help serial verification
- Attempt to infer verification policy based on custom trusted root
- Make command output more friendly if you leave off required arguments

Signed-off-by: Zach Steindler <steiza@github.com>
 2024-04-24 10:24:23 -04:00
Andy Feller
a42450e9a3
Merge pull request #8949 from steiza/steiza/multi-attestation 
Add support to `attestation` command for more predicate types.
 2024-04-12 11:12:59 -04:00