From 8869c8a5155fcf554f5bc8dfa4ac3cae624d8513 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Tue, 26 Mar 2024 09:31:14 -0700 Subject: [PATCH] fix: Switch to newer DSSE rekor type (#3299) The intoto v001 type does not persist signatures of the DSSE envelope, as noted in https://github.com/sigstore/rekor/pull/973. We introduced an intoto v002 type shortly after to fix this, but since then, we've introduced another newer type, DSSE v001, which also does not persist the attestation in Rekor (as we discourage using Rekor as storage). I also updated the verifier in https://github.com/slsa-framework/slsa-verifier/pull/742 to search for both Rekor entry types. # Summary ... ## Testing Process ... ## Checklist - [ ] Review the contributing [guidelines](./../CONTRIBUTING.md) - [ ] Add a reference to related issues in the PR description. - [ ] Update documentation if applicable. - [ ] Add unit tests if applicable. - [ ] Add changes to the [CHANGELOG](./../CHANGELOG.md) if applicable. --------- Signed-off-by: Hayden Blauzvern Signed-off-by: Hayden B Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- CHANGELOG.md | 13 ++++++++++++- signing/sigstore/rekor.go | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26b4b7c11b..251236f034 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 +- [Unreleased](#unreleased) + - [Unreleased: DSSE Rekor Type](#unreleased-dsse-rekor-type) - [v1.10.0](#v1100) - [v1.10.0: TUF fix](#v1100-tuf-fix) - [v1.10.0: Gradle Builder](#v1100-gradle-builder) @@ -98,9 +100,18 @@ Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name duplication." --> +## Unreleased + +### Unreleased: DSSE Rekor Type + +- When uploading signed provenance to the log, the entry created in the log is now + a DSSE Rekor type. This fixes a bug where the current intoto type does not + persist provenance signatures. The attestation will no longer be persisted + in Rekor (#3299) + ## v1.10.0 -Release [v1.10.0] includes bug fixes and new features. +Release [v1.10.0](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0) includes bug fixes and new features. See the [full change list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). diff --git a/signing/sigstore/rekor.go b/signing/sigstore/rekor.go index fed2f8e4a7..0dd2bc2c69 100644 --- a/signing/sigstore/rekor.go +++ b/signing/sigstore/rekor.go @@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo return nil, fmt.Errorf("creating rekor client: %w", err) } // TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM? - logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert()))) + logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert()))) if err != nil { return nil, fmt.Errorf("uploading attestation: %w", err) }