Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support verifying digests in addition to artifacts #158

Merged
merged 1 commit into from
Sep 24, 2024
Merged

Support verifying digests in addition to artifacts #158

merged 1 commit into from
Sep 24, 2024

Conversation

facutuesca
Copy link
Contributor

@facutuesca facutuesca commented Sep 18, 2024
edited
Loading

This PR adds support for verifying hashes (instead of files) to the CLI protocol (only when verifying bundles).

It also adapts the sigstore-python-conformance helper to support it, given sigstore-python supports verifying hashes since v3.3.0.

All the existing bundle verification tests have been parametrized to also test the hash verification, in addition to the existing Path (file) verification.

This closes #157

cc @woodruffw

@facutuesca facutuesca mentioned this pull request Sep 18, 2024
Closed
woodruffw
woodruffw reviewed Sep 18, 2024
View reviewed changes
test/test_bundle.py Outdated Show resolved Hide resolved
segiddins
segiddins reviewed Sep 18, 2024
View reviewed changes
docs/cli_protocol.md Show resolved Hide resolved
test/test_bundle.py Outdated Show resolved Hide resolved
woodruffw
woodruffw approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice work @facutuesca!

This is good to go, but CCing @steiza @kommendorkapten @loosebazooka as other client maintainers who will probably want to be aware of this as it goes in -- you'll likely need to update your conformance wrappers!

@steiza
Copy link
Member

steiza commented Sep 19, 2024

Adding @bdehamer for sigstore-js.

This should be fine for sigstore-go - it's easy for us to set our verification policy accordingly. I don't think this will work with cosign, which maps verify-bundle to cosign verify-blob, which only supports URLs and files, not digests.

But that's not a problem with this pull request - we'll have to figure out how to have cosign additionally handle digests, maybe as part of the VerifierOptions @codysoyland suggested in sigstore/cosign#3879.

@woodruffw woodruffw merged commit 2c7252e into sigstore:main Sep 24, 2024
4 checks passed
@woodruffw
Copy link
Member

Thanks @facutuesca, nice work here!

@segiddins segiddins mentioned this pull request Sep 30, 2024
Merged
@loosebazooka loosebazooka mentioned this pull request Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@segiddins segiddins segiddins approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Conformance suite: support verifying by hash instead of file
4 participants
@facutuesca @steiza @woodruffw @segiddins