Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make in-toto-golang sig env agnostic, enable DSSE #228

Merged
merged 2 commits into from
May 4, 2023
Merged

Make in-toto-golang sig env agnostic, enable DSSE #228

merged 2 commits into from
May 4, 2023

Conversation

adityasaky
Copy link
Member

Fixes issue: #148, supersedes #151

Description:

Makes in-toto-golang agnostic to the signature wrapper used via a generic Metadata interface that can handle either Metablock or DSSE.

Please verify and check that the pull request fulfills the following
requirements:

  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

@adityasaky adityasaky mentioned this pull request May 1, 2023
Closed
2 tasks
@adityasaky
Copy link
Member Author

So far, it doesn't implement DSSE support, it just introduces support via the Metadata interface. I'm waiting on a couple of PRs in go-securesystemslib to move to use here.

@adityasaky adityasaky force-pushed the dsse-support branch 7 times, most recently from 692ab4d to 81d8e43 Compare May 2, 2023 21:10
@adityasaky
Copy link
Member Author

I've added some tests to runlib for the DSSE envelope. I'm missing more comprehensive tests for verifylib. I have a simple one using a DSSE layout but the more complicated one is going to be regenerating link metadata using DSSE and storing them in a non confusing way. The best bet may be to rename the steps write-code -> write-code-dsse and update the artifact rules as well. WDYT @pxp928?

@adityasaky adityasaky requested a review from pxp928 May 2, 2023 21:13
@adityasaky
Copy link
Member Author

BTW, this PR is blocked on an upstream release of go-securesystemslib.

pxp928
pxp928 reviewed May 3, 2023
View reviewed changes
cmd/run.go Show resolved Hide resolved
in_toto/envelope.go Show resolved Hide resolved
in_toto/envelope.go Outdated Show resolved Hide resolved
in_toto/examples_test.go Show resolved Hide resolved
in_toto/model.go Show resolved Hide resolved
in_toto/verifylib.go Show resolved Hide resolved
@pxp928
Copy link
Member

pxp928 commented May 3, 2023

I've added some tests to runlib for the DSSE envelope. I'm missing more comprehensive tests for verifylib. I have a simple one using a DSSE layout but the more complicated one is going to be regenerating link metadata using DSSE and storing them in a non confusing way. The best bet may be to rename the steps write-code -> write-code-dsse and update the artifact rules as well. WDYT @pxp928?

Yup, that makes sense.

@adityasaky
Copy link
Member Author

I added a DSSE stack of tests @pxp928 as well.

@adityasaky adityasaky force-pushed the dsse-support branch 2 times, most recently from bb3e8a4 to 8a9cbe7 Compare May 3, 2023 19:11
@adityasaky adityasaky mentioned this pull request May 3, 2023
Closed
@adityasaky
Clean up attestation definitions
593dbca 
* Move them into attestations.go
* Remove DSSE signer in favour of go-securesystemslib implementation

Signed-off-by: Aditya Sirish <aditya@saky.in>
pxp928
pxp928 approved these changes May 3, 2023
View reviewed changes
Copy link
Member

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@adityasaky
Add Metadata interface for signature wrappers
bacc1cd 
This change introduces the signature wrapper agnostic Metadata interface
and support for DSSE.

Signed-off-by: Aditya Sirish <aditya@saky.in>
@adityasaky adityasaky merged commit 89f68ce into in-toto:master May 4, 2023
@adityasaky adityasaky deleted the dsse-support branch May 4, 2023 03:23
@adityasaky adityasaky mentioned this pull request May 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pxp928 pxp928 pxp928 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adityasaky @pxp928