Skip to content

Add support for verifying dsse-intoto#855

Merged
loosebazooka merged 1 commit intomainfrom
dsse_support
Dec 26, 2024
Merged

Add support for verifying dsse-intoto#855
loosebazooka merged 1 commit intomainfrom
dsse_support

Conversation

@loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Nov 21, 2024
edited
Loading

  • Verification should be able to correctly validate a bundle as cryptographically valid (VerificationOptions.empty())
  • Verifiers may also include signer identity during verification
  • Verifiers should extract the embedded attestation to do further analysis on the attestation. Sigstore-java does not process those in any way
  • There is no signing options for DSSE bundles

needs #873 #872

@loosebazooka loosebazooka force-pushed the dsse_support branch 5 times, most recently from 7a7e1b6 to 85dd2f1 Compare December 13, 2024 18:53
@loosebazooka
Copy link
Member Author

loosebazooka commented Dec 18, 2024

I'm gonna split this up, make it a little easier to review.

@loosebazooka loosebazooka marked this pull request as draft December 18, 2024 18:08
This was referenced Dec 18, 2024
Merged
Merged
@loosebazooka loosebazooka force-pushed the dsse_support branch 3 times, most recently from 299a6b0 to d6b598c Compare December 18, 2024 20:30
@loosebazooka
Add support for verifying dsse-intoto
0ff3ffb 
- Verification should be able to correctly validate a bundle as
  cryptographically valid (VerificationOptions.empty())
- Verifiers may also include signer identity during verification
- Verifiers should extract the embedded attestation to do further
  analysis on the attestation. Sigstore-java does not process
  those in any way
- There is no signing options for DSSE bundles

Signed-off-by: Appu Goundan <appu@google.com>
@loosebazooka loosebazooka marked this pull request as ready for review December 20, 2024 20:15
patflynn
patflynn reviewed Dec 21, 2024
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
var digestBytes = Hex.decode(subject.getDigest().get("sha256"));
return Arrays.equals(artifactDigest, digestBytes);
} catch (DecoderException de) {
// ignore (assume false)
Copy link
Collaborator

@patflynn patflynn Dec 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log.warn?

Copy link
Member Author

@loosebazooka loosebazooka Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super sure, if it fails then we'll see a keyless verification exception and users can debug at that point? I guess I can add one in a followup.

@loosebazooka loosebazooka merged commit b290ca4 into main Dec 26, 2024
25 checks passed
@loosebazooka loosebazooka deleted the dsse_support branch December 26, 2024 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patflynn patflynn patflynn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loosebazooka @patflynn

Comments