Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug in attest-blob when using a timestamp authority with new bundles #3877

Merged
merged 3 commits into from
Sep 18, 2024

Conversation

steiza
Copy link
Member

@steiza steiza commented Sep 11, 2024

Summary

Fix bug in #3752

When adding bundle support to attest-blob, we sent the wrong data to the timestamp authority to sign.

You can test this by first attesting to a blob with a timestamp authority and a predicate with something like:

$ go run cmd/cosign/main.go attest-blob --bundle="attest-pgi.sigstore.json" --new-bundle-format=true --key=cosign.key --tlog-upload=false --timestamp-server-url="https://timestamp.githubapp.com/api/v1/timestamp" --tlog-upload=false --type=something --predicate="../sigstore-go/examples/sigstore-go-signing/intoto.txt" ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

Then the verification which previously failed (and now succeeds) looks like:

$ go run cmd/cosign/main.go verify-blob-attestation --trusted-root=trusted_root_with_timestamps.public.json --use-signed-timestamps=true --insecure-ignore-tlog=true --key=cosign.pub --bundle="attest-pgi.sigstore.json" --new-bundle-format=true --type=something ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

Release Note

  • Fixed bug that created bundles with incorrect signed timestamps when attest-blob was used with new bundles

Documentation

N/A

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>
Copy link

codecov bot commented Sep 11, 2024

Codecov Report

Attention: Patch coverage is 0% with 36 lines in your changes missing coverage. Please review.

Project coverage is 36.60%. Comparing base (2ef6022) to head (004061c).
Report is 217 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/attest/attest_blob.go 0.00% 28 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 8 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3877      +/-   ##
==========================================
- Coverage   40.10%   36.60%   -3.50%     
==========================================
  Files         155      203      +48     
  Lines       10044    12811    +2767     
==========================================
+ Hits         4028     4690     +662     
- Misses       5530     7538    +2008     
- Partials      486      583      +97     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also fix

responseBytes, err := tsa.GetTimestampedSignature(signedPayload, tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL))
, which I believe has the same issue?

@haydentherapper
Copy link
Contributor

Could you test that this doesn't break the existing verification flows for verify-attestation and verify-blob-attestation without using sigstore-go? I think we might have overloaded sig in a few places such that the verifier is expecting the DSSE envelope to have been signed over rather than the DSSE's sig, but I haven't dug in closely yet.

@haydentherapper
Copy link
Contributor

haydentherapper commented Sep 11, 2024

Grumble grumble, this will affect verification for non-bundle flows, see

cosign/pkg/cosign/verify.go

Lines 1140 to 1154 in 780780b

if len(b64Sig) == 0 {
// For attestations, the Base64Signature is not set, therefore we rely on the signed payload
signedPayload, err := sig.Payload()
if err != nil {
return nil, fmt.Errorf("reading the payload: %w", err)
}
tsBytes = signedPayload
} else {
// create timestamp over raw bytes of signature
rawSig, err := base64.StdEncoding.DecodeString(b64Sig)
if err != nil {
return nil, err
}
tsBytes = rawSig
}
. We verify using either the signature or the signed payload.

I think the cleanest solution would be to change this only for the case where you provide the new bundle flag.

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>
steiza added a commit to steiza/cosign that referenced this pull request Sep 12, 2024
Also remove fix that is being handled in sigstore#3877

Signed-off-by: Zach Steindler <steiza@github.com>
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Just a comment about a test.

// Envelope. However, when sigstore clients are verifying a bundle they
// will use the DSSE Sig field, so we choose what signature to send to
// the timestamp authority based on our output format.
if c.NewBundleFormat {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test under e2e_test as well? A copy of

func TestAttestationRFC3161Timestamp(t *testing.T) {
that uses AttestBlobCommand?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! This would have been a lot harder if I had not written #3876 recently 😅

Signed-off-by: Zach Steindler <steiza@github.com>
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@haydentherapper haydentherapper merged commit 4393313 into sigstore:main Sep 18, 2024
23 checks passed
steiza added a commit to steiza/cosign that referenced this pull request Sep 23, 2024
Also remove fix that is being handled in sigstore#3877

Signed-off-by: Zach Steindler <steiza@github.com>
dmitris pushed a commit to dmitris/cosign that referenced this pull request Oct 17, 2024
…les (sigstore#3877)

* Fix bug in sigstore#3752

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>

* Only change timestamp authority signature behavior for new bundles

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>

* Add happy path e2e test

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
kipz pushed a commit to kipz/cosign that referenced this pull request Oct 21, 2024
…les (sigstore#3877)

* Fix bug in sigstore#3752

When adding bundles support to `attest-blob`, we sent the wrong data to
the timestamp authority to sign.

Signed-off-by: Zach Steindler <steiza@github.com>

* Only change timestamp authority signature behavior for new bundles

Also add TODO when we get to updating `cosign attest`

Signed-off-by: Zach Steindler <steiza@github.com>

* Add happy path e2e test

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants