Skip to content

Add support for verifying dsse-intoto#855

Merged
loosebazooka merged 1 commit intomainfrom
dsse_support
Dec 26, 2024
Merged

Add support for verifying dsse-intoto#855
loosebazooka merged 1 commit intomainfrom
dsse_support

Conversation

@loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Nov 21, 2024

  • Verification should be able to correctly validate a bundle as cryptographically valid (VerificationOptions.empty())
  • Verifiers may also include signer identity during verification
  • Verifiers should extract the embedded attestation to do further analysis on the attestation. Sigstore-java does not process those in any way
  • There is no signing options for DSSE bundles

needs #873 #872

@loosebazooka loosebazooka force-pushed the dsse_support branch 5 times, most recently from 7a7e1b6 to 85dd2f1 Compare December 13, 2024 18:53
@loosebazooka
Copy link
Member Author

I'm gonna split this up, make it a little easier to review.

@loosebazooka loosebazooka marked this pull request as draft December 18, 2024 18:08
@loosebazooka loosebazooka force-pushed the dsse_support branch 3 times, most recently from 299a6b0 to d6b598c Compare December 18, 2024 20:30
- Verification should be able to correctly validate a bundle as
  cryptographically valid (VerificationOptions.empty())
- Verifiers may also include signer identity during verification
- Verifiers should extract the embedded attestation to do further
  analysis on the attestation. Sigstore-java does not process
  those in any way
- There is no signing options for DSSE bundles

Signed-off-by: Appu Goundan <appu@google.com>
@loosebazooka loosebazooka marked this pull request as ready for review December 20, 2024 20:15
var digestBytes = Hex.decode(subject.getDigest().get("sha256"));
return Arrays.equals(artifactDigest, digestBytes);
} catch (DecoderException de) {
// ignore (assume false)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log.warn?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super sure, if it fails then we'll see a keyless verification exception and users can debug at that point? I guess I can add one in a followup.

@loosebazooka loosebazooka merged commit b290ca4 into main Dec 26, 2024
25 checks passed
@loosebazooka loosebazooka deleted the dsse_support branch December 26, 2024 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments