Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: npm publish verification #705

Merged
merged 20 commits into from
Oct 2, 2023
Merged

fix: npm publish verification #705

merged 20 commits into from
Oct 2, 2023

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented Sep 26, 2023
edited
Loading

  • adding support for IEEE P1363 formatted signatures
  • fix the npm publish attestation bug. The verification always return success, because it was not using PAE signature

@laurentsimon
Fix npm publish verification
0e4ca98 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon
update
90a9a36 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon
Copy link
Contributor Author

@trishankatdatadog PTAL

ianlewis
ianlewis reviewed Sep 27, 2023
View reviewed changes
verifiers/utils/dsse.go Outdated Show resolved Hide resolved
verifiers/utils/dsse.go Show resolved Hide resolved
verifiers/utils/dsse.go Outdated Show resolved Hide resolved
verifiers/utils/dsse.go Outdated Show resolved Hide resolved
verifiers/utils/dsse.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Show resolved Hide resolved
verifiers/internal/gha/npm.go Outdated Show resolved Hide resolved
@ianlewis
Copy link
Member

I like that you used the dsselib.EnvelopeVerifier interface.

Could you maybe add a bit more in the PR description as to what this PR is doing? esp. that this is adding support for IEEE P1363 formatted signatures.

@laurentsimon
Add tests and fix linter
1e17039 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon
remove file
fd1dbdf 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@trishankatdatadog
Copy link
Member

Can confirm the patch works:

➜  slsa-verifier git:(fix/npm-publish-sig) SLSA_VERIFIER_EXPERIMENTAL=1 go run ./cli/slsa-verifier verify-npm-package ~/github.com/trishankatdatadog/hekate/supreme-goggles.tgz \
  --attestations-path ~/github.com/trishankatdatadog/hekate/attestations.json \
  --builder-id "https://github.com/actions/runner/github-hosted" \
  --package-name "@trishankatdatadog/supreme-goggles" \
  --package-version 1.0.5 \
  --source-uri github.com/trishankatdatadog/supreme-goggles
Verified build using builder https://github.com/actions/runner/github-hosted at commit 38ebf99444e033b2f1550c9aaaeacd62d02a12ba
Verifying npm package /Users/trishank.kuppusamy/github.com/trishankatdatadog/hekate/supreme-goggles.tgz: FAILED: invalid signature: accepted signatures do not match threshold, Found: 0, Expected 1

FAILED: SLSA verification failed: invalid signature: accepted signatures do not match threshold, Found: 0, Expected 1
exit status 1

Will try to review code ASAP. Thanks for fixing this!

laurentsimon and others added 14 commits September 27, 2023 09:36
@laurentsimon
Update verifiers/utils/dsse.go
fad0f3d 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
ed19f8e 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
e86dfad 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/internal/gha/npm.go
cdc4e4c 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/internal/gha/npm.go
5d4f1c2 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/internal/gha/npm.go
167025f 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/internal/gha/npm.go
7dcaf77 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
0362bdf 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
4236743 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/internal/gha/verifier.go
58a9896 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
a468d49 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
Update verifiers/utils/dsse.go
52b156f 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
address comments
fa57b03 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon
update
f258675 
Signed-off-by: laurentsimon <laurentsimon@google.com>
trishankatdatadog
trishankatdatadog reviewed Sep 27, 2023
View reviewed changes
cli/slsa-verifier/main_regression_test.go Outdated Show resolved Hide resolved
cli/slsa-verifier/main_regression_test.go Outdated Show resolved Hide resolved
cli/slsa-verifier/main_regression_test.go Show resolved Hide resolved
verifiers/internal/gha/npm.go Show resolved Hide resolved
verifiers/internal/gha/npm.go Show resolved Hide resolved
laurentsimon and others added 2 commits September 27, 2023 12:53
@laurentsimon @trishankatdatadog
Update cli/slsa-verifier/main_regression_test.go
ca7c111 
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon @trishankatdatadog
Update cli/slsa-verifier/main_regression_test.go
45225ba 
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
trishankatdatadog
trishankatdatadog approved these changes Sep 27, 2023
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, could use another pair of eyes to see whether I missed anything, thx!

@laurentsimon
Copy link
Contributor Author

LGTM, could use another pair of eyes to see whether I missed anything, thx!

@ianlewis provided a good review already. Waiting for his LGTM too. Thanks again!

@trishankatdatadog
Copy link
Member

Just to double-check: we do verify that the observed artefact digest does match the expected subject digest in both the provenance and publish attestations, correct?

@laurentsimon
Copy link
Contributor Author

Just to double-check: we do verify that the observed artefact digest does match the expected subject digest in both the provenance and publish attestations, correct?

yes

@trishankatdatadog
Copy link
Member

yes

Sorry to press you, but is there a test to this effect? I may have missed it...

ianlewis
ianlewis approved these changes Oct 2, 2023
View reviewed changes
Copy link
Member

@ianlewis ianlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cli/slsa-verifier/main_regression_test.go
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature publish npm CLI",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have tests for package name, version, and signature mismatches but @trishankatdatadog mentioned that we are missing a test for a publish attestation digest mismatch.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we create an issue to track this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is #707 ok?

verifiers/utils/dsse.go
func DsseVerifierNew(content []byte, format KeyFormat, keyID string, sigEncoding *SignatureEncoding) (*dsselib.EnvelopeVerifier, error) {
if format == KeyFormatPEM {
block, rest := pem.Decode(content)
if rest != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
if rest != nil {
if len(rest) != 0 {

@laurentsimon
Copy link
Contributor Author

yes

Sorry to press you, but is there a test to this effect? I may have missed it...

the tests are not part of this PR. They are present in the rest of the code.

@laurentsimon laurentsimon merged commit f6ae402 into slsa-framework:main Oct 2, 2023
14 checks passed
@laurentsimon laurentsimon mentioned this pull request Oct 2, 2023
Closed
laurentsimon added a commit that referenced this pull request Oct 9, 2023
@laurentsimon
feat: Address unresolved comments from #705 (#708)
3b171c4 
closes #707

Signed-off-by: laurentsimon <laurentsimon@google.com>
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jul 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trishankatdatadog trishankatdatadog trishankatdatadog approved these changes

@ianlewis ianlewis ianlewis approved these changes

@asraa asraa Awaiting requested review from asraa

@kpk47 kpk47 Awaiting requested review from kpk47

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@laurentsimon @ianlewis @trishankatdatadog