[Signature discovery] Add a signature interface and a library to parse signature from image manifest #328
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
yawangwang
force-pushed
the
parse-manifest
branch
3 times, most recently
from
f5fd631 to
1b6d63e
Compare
yawangwang
force-pushed
the
parse-manifest
branch
2 times, most recently
from
e23b2e5 to
2a678b0
Compare
…generated signatures from OCI image object
yawangwang
force-pushed
the
parse-manifest
branch
from
2a678b0 to
f0b5410
Compare
yawangwang
force-pushed
the
parse-manifest
branch
2 times, most recently
from
e8be08b to
815dbde
Compare
yawangwang
changed the title
yawangwang
force-pushed
the
parse-manifest
branch
from
815dbde to
90c8f08
Compare
yawangwang
force-pushed
the
parse-manifest
branch
2 times, most recently
from
5de8d9b to
4664c9a
Compare
yawangwang
force-pushed
the
parse-manifest
branch
from
4664c9a to
ef8153c
Compare
launcher/internal/oci/interface.go
Outdated
|
|
||
| const ( | ||
| // RSASSAPSS2048SHA256 is RSASSA-PSS 2048 bit key with a SHA256 digest supported for cosign sign. | ||
| RSASSAPSS2048SHA256 SigningAlgorithm = "RSASSA_PSS_2048_SHA256" |
There was a problem hiding this comment.
Does this match our API enum (google.cloud.confidentialcomputing.v1main.SigningAlgorithm)?
There was a problem hiding this comment.
No, our API enum does not specify bit length for a RSA public key. Since the current implementations use Tink to verify signatures and Tink only accepts at least 2048 bit key, I think it would be good to imply this length restriction from the naming. But to align with our API enum, we can keep the naming but change the value to RSASSA_PSS_SHA256. Done.
There was a problem hiding this comment.
I actually was wondering about the other direction: should we update/change our API enum? It's confusing to put the key size here but not in the API
There was a problem hiding this comment.
For RSA keys generated by all cloud KMS providers, the bit length is at least 2048. For RSA keys generated by openssl, the bit length is by default 2048. So IMO maybe we don't actually have to update our API enums for this? We can provide a good documentation specifying the bit length restriction. Plus client side will get verification errors from attestation service if the key length is less than 2048.
yawangwang
force-pushed
the
parse-manifest
branch
from
ef8153c to
2ded296
Compare
|
|
||
| func TestFetchImageSignaturesDockerPublic(t *testing.T) { | ||
| ctx := namespaces.WithNamespace(context.Background(), "test") | ||
| originalImageDesc := v1.Descriptor{Digest: "sha256:905a0f3b3d6d0fb37bfa448b9e78f833b73f0b19fc97fed821a09cf49e255df1"} |
There was a problem hiding this comment.
Does the codelab project make this repo public? Otherwise, the test will fail for someone without permissions.
There was a problem hiding this comment.
Yes, this repo only grants roles/artifactregistry.reader permission to all users, so it is a public accessible repo.
launcher/internal/oci/interface.go
Outdated
|
|
||
| const ( | ||
| // RSASSAPSS2048SHA256 is RSASSA-PSS 2048 bit key with a SHA256 digest supported for cosign sign. | ||
| RSASSAPSS2048SHA256 SigningAlgorithm = "RSASSA_PSS_2048_SHA256" |
There was a problem hiding this comment.
I actually was wondering about the other direction: should we update/change our API enum? It's confusing to put the key size here but not in the API
Revert "Decrease MaxElapsedTime for retry backoff in tests (google#337)" (google#341) This reverts commit 4a3d6e7. This commit has made our CI flakey, and we do not need to enable this test internally in g3. [Signature discovery] Add a signature interface and a library to parse signature from image manifest (google#328) * Adding a signature interface and its implementations to parse cosign-generated signatures from OCI image object Integrate signature discovery client into attestation agent
New Features: [launcher] Verify FS and mount before launch google#311 Integration of go-tpm-tools with go-tdx-guest google#347 Intra-version Breaking Changes: Add launcherfile package for path and file consts google#356 breaks google#333 Bug Fixes: [launcher] Update the token refresh logic google#325 [launcher] Fix logging blocking issue google#338 Other Changes: [launcher] Add a new metadata flag of signedImageRepos google#320 Update go-sev-guest to v0.7.0 google#329 [launcher] Add SSH test for image. google#314 Add supported architectures to ci.yml google#330 Fix the go version number error google#326 [launcher] Signature discovery: fetch a signed image manifest at for parsing google#324 [launcher] Export attestation token filepath and filename google#333 [launcher] Increase the max file descriptor google#339 [launcher] Add a signature interface and a library to parse signature from image manifest google#328 Rename TdxVerify function to TdxQuote in server package. google#353 [launcher] Use V1 SDK in launcher verifier client google#305 Update and tidy dependencies google#344
New Features: [launcher] Verify FS and mount before launch #311 Integration of go-tpm-tools with go-tdx-guest #347 Intra-version Breaking Changes: Add launcherfile package for path and file consts #356 breaks #333 Bug Fixes: [launcher] Update the token refresh logic #325 [launcher] Fix logging blocking issue #338 Other Changes: [launcher] Add a new metadata flag of signedImageRepos #320 Update go-sev-guest to v0.7.0 #329 [launcher] Add SSH test for image. #314 Add supported architectures to ci.yml #330 Fix the go version number error #326 [launcher] Signature discovery: fetch a signed image manifest at for parsing #324 [launcher] Export attestation token filepath and filename #333 [launcher] Increase the max file descriptor #339 [launcher] Add a signature interface and a library to parse signature from image manifest #328 Rename TdxVerify function to TdxQuote in server package. #353 [launcher] Use V1 SDK in launcher verifier client #305 Update and tidy dependencies #344
Adding a signature interface and a cosign library that implements the interface to parse cosign-generated signature from OCI image manifest.