Allow configurable algorithms in verification #76
Conversation
Signed-off-by: Alex Cameron <[email protected]>
tetsuo-cpp
changed the title
|
CC: @ret2libc |
|
I think it's best to get this in first and follow up with the change to restrict algorithms via a |
| } | ||
|
|
||
| if envelope := sigContent.EnvelopeContent(); envelope != nil { | ||
| verifier, err = getSignatureVerifier(verificationContent, trustedMaterial) |
There was a problem hiding this comment.
As discussed, the envelope flow just uses the defaults that we had before.
Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
tetsuo-cpp
left a comment
tetsuo-cpp
left a comment
There was a problem hiding this comment.
Unfortunately, unit testing this was a bit of a pain. I've left a few comments about things we probably need to discuss.
| github.com/sigstore/protobuf-specs v0.2.1 | ||
| github.com/sigstore/rekor v1.3.4 | ||
| github.com/sigstore/sigstore v1.8.0 | ||
| github.com/sigstore/rekor v1.3.5-0.20240129120212-63aa08fd13eb |
There was a problem hiding this comment.
- Pin to a version once a new Rekor release is cut.
|
|
||
| type PublicKey struct { | ||
| hint string | ||
| HintString string |
There was a problem hiding this comment.
I had to make this public so I could create one in the test module.
| assert.Nil(t, result) | ||
| } | ||
|
|
||
| type nonExpiringVerifier struct { |
There was a problem hiding this comment.
This struct and the trustedPublicKeyMaterial helper is just copied from sigstore-go/main.go which isn't great. Not 100% sure what to do here because we need this to test the relevant functionality, however it probably doesn't belong in the public API.
| return hashFunc, nil | ||
| } | ||
|
|
||
| func getHashForHashAlgorithmString(hashAlgorithm string) (crypto.Hash, error) { |
There was a problem hiding this comment.
This is the string representation of the HashAlgorithm enum which gets used in the case where we're providing a trusted root (rather than public key material). Currently, different hash algorithms only work in the case where we provide trusted public key material since this enum only has a SHA2_256 value. But if we add more values to this enum, we should be able to "unlock" different hash algorithms.
| return nil | ||
| } | ||
|
|
||
| func GetHashForDigestAlgorithm(digestAlgorithm string) (crypto.Hash, error) { |
There was a problem hiding this comment.
- Figure out what this value should look like for Ed25519.
Signed-off-by: Alex Cameron <[email protected]>
| result, err = verifier.Verify(entity, verify.NewPolicy(verify.WithArtifact(bytes.NewBufferString(artifact)), verify.WithoutIdentitiesUnsafe())) | ||
| assert.NoError(t, err) | ||
|
|
||
| assert.Equal(t, result.VerifiedTimestamps[0].Type, "Tlog") |
There was a problem hiding this comment.
We should add a test for Ed25519 here. We'll need sigstore/rekor#1945 for that.
|
Now implemented. |
3 participants
Summary
Support configurable signing algorithms in
sigstore-go's verification flow. We already have the signing key/certificate so we can use the artifact digest algorithm information to figure out what hash function is being used.Release Note
Documentation