Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add gitsign verify #262

Merged
merged 1 commit into from
Mar 23, 2023
Merged

Add gitsign verify #262

merged 1 commit into from
Mar 23, 2023

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented Mar 22, 2023

Summary

This adds a new subcommand that mirrors cosign verify for certificate
claim verification.

Previously we relied on git verify-commit for commit verification.
While this did check that the signature was valid and it exists in
rekor, it did not check whether the identity was what was expected,
because Git does not give controls over this via the commit signature
interface.

This command provides this functionality.

Also adds a warning to the output of the git verify-commit output
warning users that that verification mechanism may not be complete.

Fixes #241

Note: e2e may break - because of the id-token restrictions requiring us to run from main, idk if this actually works yet. I'll fix it if it breaks in another PR.

Release Note

  • Adds gitsign verify subcommand for verifying certificate claims.
  • Adds warning to git verify-commit output warning about certificate claim checks.

Documentation

@wlynch wlynch force-pushed the cmd-verify branch 4 times, most recently from 92d8ebc to e11d0e7 Compare March 22, 2023 23:18
@wlynch wlynch changed the title WIP: gitsign verify Add gitsign verify Mar 22, 2023
@wlynch wlynch marked this pull request as ready for review March 22, 2023 23:26
@wlynch wlynch force-pushed the cmd-verify branch 5 times, most recently from 430406a to f44784f Compare March 22, 2023 23:45
This adds a new subcommand that mirrors cosign verify for certificate
claim verification.

Previously we relied on `git verify-commit` for commit verification.
While this did check that the signature was valid and it exists in
rekor, it did not check whether the identity was what was expected,
because Git does not give controls over this via the commit signature
interface.

This command provides this functionality.

Also adds a warning to the output of the `git verify-commit` output
warning users that that verification mechanism may not be complete.

Signed-off-by: Billy Lynch <billy@chainguard.dev>
.gitignore Show resolved Hide resolved
@wlynch wlynch merged commit b9ab03b into sigstore:main Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

gitsign verify
4 participants