-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix bug in attest-blob when using a timestamp authority with new bundles #3877
Fix bug in attest-blob when using a timestamp authority with new bundles #3877
Conversation
When adding bundles support to `attest-blob`, we sent the wrong data to the timestamp authority to sign. Signed-off-by: Zach Steindler <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3877 +/- ##
==========================================
- Coverage 40.10% 36.60% -3.50%
==========================================
Files 155 203 +48
Lines 10044 12811 +2767
==========================================
+ Hits 4028 4690 +662
- Misses 5530 7538 +2008
- Partials 486 583 +97 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also fix
cosign/cmd/cosign/cli/attest/attest.go
Line 179 in 780780b
responseBytes, err := tsa.GetTimestampedSignature(signedPayload, tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL)) |
Could you test that this doesn't break the existing verification flows for |
Grumble grumble, this will affect verification for non-bundle flows, see Lines 1140 to 1154 in 780780b
I think the cleanest solution would be to change this only for the case where you provide the new bundle flag. |
Also add TODO when we get to updating `cosign attest` Signed-off-by: Zach Steindler <[email protected]>
Also remove fix that is being handled in sigstore#3877 Signed-off-by: Zach Steindler <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! Just a comment about a test.
// Envelope. However, when sigstore clients are verifying a bundle they | ||
// will use the DSSE Sig field, so we choose what signature to send to | ||
// the timestamp authority based on our output format. | ||
if c.NewBundleFormat { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a test under e2e_test as well? A copy of
Line 771 in 081dea1
func TestAttestationRFC3161Timestamp(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! This would have been a lot harder if I had not written #3876 recently 😅
Signed-off-by: Zach Steindler <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Also remove fix that is being handled in sigstore#3877 Signed-off-by: Zach Steindler <[email protected]>
…les (sigstore#3877) * Fix bug in sigstore#3752 When adding bundles support to `attest-blob`, we sent the wrong data to the timestamp authority to sign. Signed-off-by: Zach Steindler <[email protected]> * Only change timestamp authority signature behavior for new bundles Also add TODO when we get to updating `cosign attest` Signed-off-by: Zach Steindler <[email protected]> * Add happy path e2e test Signed-off-by: Zach Steindler <[email protected]> --------- Signed-off-by: Zach Steindler <[email protected]>
…les (sigstore#3877) * Fix bug in sigstore#3752 When adding bundles support to `attest-blob`, we sent the wrong data to the timestamp authority to sign. Signed-off-by: Zach Steindler <[email protected]> * Only change timestamp authority signature behavior for new bundles Also add TODO when we get to updating `cosign attest` Signed-off-by: Zach Steindler <[email protected]> * Add happy path e2e test Signed-off-by: Zach Steindler <[email protected]> --------- Signed-off-by: Zach Steindler <[email protected]>
Summary
Fix bug in #3752
When adding bundle support to
attest-blob
, we sent the wrong data to the timestamp authority to sign.You can test this by first attesting to a blob with a timestamp authority and a predicate with something like:
Then the verification which previously failed (and now succeeds) looks like:
Release Note
attest-blob
was used with new bundlesDocumentation
N/A