Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signature-verification: accommodate changes in cosign cli behavior and add tldr #334

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

signature-verification: accommodate changes in cosign cli behavior and add tldr #334

wants to merge 2 commits into from

Conversation

mohammed90
Copy link
Member

@mohammed90 mohammed90 commented Jul 30, 2023
edited
Loading

TODO:

  • Figure out how to fetch UUID of tlog entry using cosign to retain the multi-perspective verification

This is how the tldr looks

image

Closes #312

@mohammed90
signature-verification: accommodate changes in cosign cli behavior an…
5a65563 
…d add tldr

Closes TL;DR needed for Signature Verification page #312
@francislavoie
Copy link
Member

I'd maybe add spaces in front of each line of the command for alignment, similar to https://caddyserver.com/docs/running#usage

@mohammed90
Copy link
Member Author

Notes to come back to to finish this PR:

  • The command rekor-cli search --artifact ./{artifact} --format json, returns {"UUIDs":["uuid-value"]}
  • The command rekor-cli get --uuid {output-from-previous} --format json gives this output:
{
    "Attestation": "",
    "AttestationType": "",
    "Body": {
        "HashedRekordObj": {
            "data": {
                "hash": {
                    "algorithm": "sha256",
                    "value": "7807ee6fcade5e48981fa1f41d5f72ca628cd0dcdaab79cdfe0a49909f606466"
                }
            },
            "signature": {
                "content": "MEUCIFYLRP5bkLk1LurwH6lGBqaU/kOS16s0tbJW+ImlD6TNAiEAmvE6/bvmb94hbGfaA34AOIRnytct6Uj+zikxIm4GACE=",
                "publicKey": {
                    "content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdxekNDQmpHZ0F3SUJBZ0lVT1VBZmV3ZHpMKzZqdWpjTnJDbzdQcVlQRTNjd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpReE1qTXhNVGN4T0RVMVdoY05NalF4TWpNeE1UY3lPRFUxV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVXV0FZNHl6b1VMa05hTit0Rm9QN29mVHF0VzYwT2VPTVJaY2MKM0s4MHphWnlPdkV2azR6cUx1Y2FYTFBmd0xoRDN0TnBNRG9JS3d2RXVyVzhEZWZ3anFPQ0JWQXdnZ1ZNTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVUxRVpCClBwK2hoKzJkeTF6TEdURVNuYk9hUmJFd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1lRWURWUjBSQVFIL0JGY3dWWVpUYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJOaFpHUjVjMlZ5ZG1WeQpMMk5oWkdSNUx5NW5hWFJvZFdJdmQyOXlhMlpzYjNkekwzSmxiR1ZoYzJVdWVXMXNRSEpsWm5NdmRHRm5jeTkyCk1pNDVMakF3T1FZS0t3WUJCQUdEdnpBQkFRUXJhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDEKWW5WelpYSmpiMjUwWlc1MExtTnZiVEFTQmdvckJnRUVBWU8vTUFFQ0JBUndkWE5vTURZR0Npc0dBUVFCZzc4dwpBUU1FS0RObU0yWTRZak5rTlRJM01HRmtaRFEyWkRWbVl6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGUVlLCkt3WUJCQUdEdnpBQkJBUUhVbVZzWldGelpUQWZCZ29yQmdFRUFZTy9NQUVGQkJGallXUmtlWE5sY25abGNpOWoKWVdSa2VUQWVCZ29yQmdFRUFZTy9NQUVHQkJCeVpXWnpMM1JoWjNNdmRqSXVPUzR3TURzR0Npc0dBUVFCZzc4dwpBUWdFTFF3cmFIUjBjSE02THk5MGIydGxiaTVoWTNScGIyNXpMbWRwZEdoMVluVnpaWEpqYjI1MFpXNTBMbU52CmJUQmpCZ29yQmdFRUFZTy9NQUVKQkZVTVUyaDBkSEJ6T2k4dloybDBhSFZpTG1OdmJTOWpZV1JrZVhObGNuWmwKY2k5allXUmtlUzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTl5Wld4bFlYTmxMbmx0YkVCeVpXWnpMM1JoWjNNdgpkakl1T1M0d01EZ0dDaXNHQVFRQmc3OHdBUW9FS2d3b00yWXpaamhpTTJRMU1qY3dZV1JrTkRaa05XWmpOMlE1Ck9XSmtZMk0zTURWaFpESmtOV1JtTkRBZEJnb3JCZ0VFQVlPL01BRUxCQThNRFdkcGRHaDFZaTFvYjNOMFpXUXcKTkFZS0t3WUJCQUdEdnpBQkRBUW1EQ1JvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHpaWEoyWlhJdgpZMkZrWkhrd09BWUtLd1lCQkFHRHZ6QUJEUVFxRENnelpqTm1PR0l6WkRVeU56QmhaR1EwTm1RMVptTTNaRGs1ClltUmpZemN3TldGa01tUTFaR1kwTUNBR0Npc0dBUVFCZzc4d0FRNEVFZ3dRY21WbWN5OTBZV2R6TDNZeUxqa3UKTURBWUJnb3JCZ0VFQVlPL01BRVBCQW9NQ0RJNU1qQTNOakl4TUM0R0Npc0dBUVFCZzc4d0FSQUVJQXdlYUhSMApjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlNQmdHQ2lzR0FRUUJnNzh3QVJFRUNnd0lNVEk1Ck5UVTFNamd3WXdZS0t3WUJCQUdEdnpBQkVnUlZERk5vZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHoKWlhKMlpYSXZZMkZrWkhrdkxtZHBkR2gxWWk5M2IzSnJabXh2ZDNNdmNtVnNaV0Z6WlM1NWJXeEFjbVZtY3k5MApZV2R6TDNZeUxqa3VNREE0QmdvckJnRUVBWU8vTUFFVEJDb01LRE5tTTJZNFlqTmtOVEkzTUdGa1pEUTJaRFZtCll6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGQVlLS3dZQkJBR0R2ekFCRkFRR0RBUndkWE5vTUZnR0Npc0cKQVFRQmc3OHdBUlVFU2d4SWFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlMMk5oWkdSNQpMMkZqZEdsdmJuTXZjblZ1Y3k4eE1qVTJNakEzTnpNek5pOWhkSFJsYlhCMGN5OHhNQllHQ2lzR0FRUUJnNzh3CkFSWUVDQXdHY0hWaWJHbGpNSUdLQmdvckJnRUVBZFo1QWdRQ0JId0VlZ0I0QUhZQTNUMHdhc2JIRVRKakdSNGMKbVdjM0FxSktYcmplUEszL2g0cHlnQzhwN280QUFBR1VIYnBJdGdBQUJBTUFSekJGQWlFQTJoMlZ1Q0tCNWFCYQo2WTJreXpKb3FFSFUvNVNhUlY5UTRKR2NCaGwyN1JNQ0lBN2hMYkVjeGpJaEFWZlBVSy9TRlJZc093bmg3VkJGCmxaZkxOZTg5bkhTVE1Bb0dDQ3FHU000OUJBTURBMmdBTUdVQ01RRGlJTVNhaC8wQ3h4U2tSN28ybjBDL2hnbEUKR1RZcjY1K2taeHp2emZEL2I1UmNiM2llQXZSZHhreE1vUWhUUHNJQ01Ia2FPb25WRVRXNjVrTXIvMi9HckppVgp1UEVmeEUzTjFCWnY5TUpJOXJvY01Ud294akVBdkpjU1p5VGFIZ0k1cmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
                }
            }
        }
    },
    "LogIndex": 158520902,
    "IntegratedTime": 1735665535,
    "UUID": "108e9186e8c5677a3cb05e97b8ef81ac76d9e2d7e2ac4f2c36628c71ab3b2432804b19386e2de964",
    "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

The value of Body.signature.publicKey.content is the base64 of the certificate generated by cosign in CI/CD pipeline.

I think this closes the verification loop and confirms the blob signature and transparency entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt left review comments

@francislavoie francislavoie Awaiting requested review from francislavoie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TL;DR needed for Signature Verification page
3 participants
@mohammed90 @francislavoie @mholt