Example of verifying OCI referenced images using sigstore-go #30
Conversation
|
Awesome! |
kommendorkapten
force-pushed
the
ociimage
branch
from
68621d8
to
7de91ff
Compare
There was a problem hiding this comment.
Thanks @rdimitrov , this is great! 🚀
One nit comment, otherwise this looks really good.
ping: @haydentherapper @codysoyland
|
To clarify, the purpose of sigstore-go is not to have functionality like this, it should be in cosign. But until cosign is ready to work with bundles, having an example in this repo is fine IMHO. |
|
Overall I’m fine adding this, but I would caution having the script be much more than an example. I don’t expect this will evolve into a more fleshed out CLI. We will be working on adding support for the bundle in Cosign very shortly, you can track progress in sigstore/cosign#3139. |
|
@rdimitrov, how did you envision the purpose of this code? I don’t want to put words in your mouth if you see this as more than an example. If so, then I’m a little hesitant to put so much in without tests, but I also don’t want this to become cosign. what do you think about putting some caveats in the documentation that this is meant as an example? |
cmd/sigstore-go/main.go
Outdated
| InclusionPromise: &protorekor.InclusionPromise{ | ||
| SignedEntryTimestamp: signedEntryTimestamp, | ||
| }, | ||
| InclusionProof: nil, |
There was a problem hiding this comment.
Inclusion proofs are required. If the OCI image doesn’t store it, then it can’t be used to build a valid bundle.
There was a problem hiding this comment.
I was using the example of https://github.com/sigstore/sigstore-go/blob/main/examples/bundle-provenance.json as a reference, so thus why it's like that. Can you give me some pointers on how to construct the necessary data for this?
There was a problem hiding this comment.
The test image (see the oci-image-verification.md) is signed with cosign, it appears cosign does not upload the inclusion proof, is that correct @haydentherapper ? If correct, thoughts of adding inclusion proofs when uploading to an OCI registry.
The code could be modified to verify it the inclusion proof is present, if not it could be fetched from Rekor prior to creating the bundle (it's present in the entries endpoint, how to view via curl: curl -s 'https://rekor.sigstore.dev/api/v1/log/entries?logIndex=54521426'.
Edit: asked a question if cosign should upload inclusion proof.
There was a problem hiding this comment.
For a transition period, maybe using the bundle format v0.1 (i.e only require inclusion promise) is the best way forward, then when we modify cosign, we can start to produce v0.2 bundle versions.
There was a problem hiding this comment.
The goal here is to produce a valid signature, correct (not to specifically implement the current cosign behavior)? It sounds like maybe there's also a bug report for cosign here?
There was a problem hiding this comment.
You're right that we don't store the inclusion proof - https://github.com/sigstore/cosign/blob/main/pkg/cosign/bundle/rekor.go#L23-L34
Ideally we would be storing the inclusion proof too. For some history, it's because we previously weren't doing anything with inclusion proofs, it's only been recently that we're improving the offline verification from rekor.
I'd rather not make the change in Cosign since the "rekor bundle" format has been stable for some time now. Instead we should implement protobuf bundle support which will include the inclusion proof, since it'll be stored after signing.
I'd personally prefer to not have more v01 bundles without these stronger proofs and instead make the change in Cosign rather than try to translate the existing OCI contents into an old bundle format.
|
Hey, @haydentherapper 👋 Thanks for your feedback! 🙏
That makes a lot of sense 👍 We were talking with Fredrik and we agreed this is not intended to be something more than a proof-of-concept. My intention is to replace the use of the cosign library with something smaller like sigstore-go and so we talked if it'd be worth sharing what I've done so far as another example 👍
Of course, updated the doc to explicitly state this 👍 |
cmd/sigstore-go/main.go
Outdated
| } | ||
| // 4. Construct and verify the bundle | ||
| pb := protobundle.Bundle{ | ||
| MediaType: bundle.SigstoreBundleMediaType01, |
There was a problem hiding this comment.
we should use bundle.SigstoreBundleMediaType02, but this will make the verification to fail (as the inclusion proof is missing as @haydentherapper pointed out). See https://github.com/sigstore/sigstore-go/pull/30/files#r1412940744 for more discussion on inclusion proof.
There was a problem hiding this comment.
+1, we shouldn't proliferate v01 bundles.
cmd/sigstore-go/main.go
Outdated
| } | ||
| // 4. Construct and verify the bundle | ||
| pb := protobundle.Bundle{ | ||
| MediaType: bundle.SigstoreBundleMediaType01, |
There was a problem hiding this comment.
+1, we shouldn't proliferate v01 bundles.
cmd/sigstore-go/main.go
Outdated
| return &protobundle.VerificationMaterial{ | ||
| Content: signingCert, | ||
| TlogEntries: tlogEntries, | ||
| TimestampVerificationData: nil, |
There was a problem hiding this comment.
Timestamp data is available too, stored in rfc3161timestamp
cmd/sigstore-go/main.go
Outdated
| InclusionPromise: &protorekor.InclusionPromise{ | ||
| SignedEntryTimestamp: signedEntryTimestamp, | ||
| }, | ||
| InclusionProof: nil, |
There was a problem hiding this comment.
You're right that we don't store the inclusion proof - https://github.com/sigstore/cosign/blob/main/pkg/cosign/bundle/rekor.go#L23-L34
Ideally we would be storing the inclusion proof too. For some history, it's because we previously weren't doing anything with inclusion proofs, it's only been recently that we're improving the offline verification from rekor.
I'd rather not make the change in Cosign since the "rekor bundle" format has been stable for some time now. Instead we should implement protobuf bundle support which will include the inclusion proof, since it'll be stored after signing.
I'd personally prefer to not have more v01 bundles without these stronger proofs and instead make the change in Cosign rather than try to translate the existing OCI contents into an old bundle format.
|
Thanks @rdimitrov for writing this up! It's interesting that the existing cosign signatures can be packaged into a compliant bundle, as that wasn't really the intent of this library. I think many of us see the future of using Sigstore Bundles in cosign would look something like uploading the bundle to an OCI registry as a referring artifact, and verifying the stored bundle directly. Of course this depends on the ability to sign/create bundles, which is as of yet unsupported in sigstore-go and cosign. I'm a bit hesitant to merge this for a few reasons:
I'd be open to moving this code into an |
|
Just a general comment here:
I don't believe the intent with this example code is to actually store the bundles anywhere? I was always under the impression that this example code is a way for a client to verify a bundle with sigstore-go instead cosign, by creating an in-memory representation, verify it, then throw it away. In that sense, verifying a v1 bundle is as safe as verifying it with cosign. |
yes, this is a great option, as this is just an example client using sigstore-go 👍 |
|
@kommendorkapten @haydentherapper @codysoyland - Thanks all for your feedback! 💯I appreciate it very much! 🙏 I think @kommendorkapten stated all of this correctly 👍 The bundle is used strictly as an intermediate format so I can leverage sigstore-go to verify an OCI image in runtime. I don't intend to produce and output the constructed bundle, store it somewhere, etc. This is just an example of using sigstore-go to verify an image and not intended to a tool for others to use. I'll try to summarise what I've understood so far (correct me if I'm wrong):
Based on this:
@codysoyland - I was debating whether I should put it there in the first place. I can rework this PR so it aligns with this 👍 Thanks again for your support! 🙏 |
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com> Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
|
@rdimitrov Thanks for the clarification. My concerns are largely mitigated if this is just an intermediate format and not persisted. To Cody’s last point, do we want to add some tests even if this is an example? |
Thanks @rdimitrov for understanding and moving this to an example! I just ran through the doc and everything works on my local machine. 👍🏻 |
Co-authored-by: Cody Soyland <codysoyland@github.com> Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
rdimitrov
changed the title
|
Thanks @codysoyland and @haydentherapper! 🙏 Updated the PR title and description to match, let me know if there's anything else blocking this 👍 |
Summary
The following PR provides an example of verifying OCI referenced images using sigstore-go.
Details:
--ociImageflagI realise I might have missed some corner case so I'll appreciate your feedback on how to make this better 😃
Thanks in advance!
Release Note
Example of verifying OCI referenced images using sigstore-go.
Documentation