Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for converting manifests to in-toto statements #248

Closed
susperius opened this issue Jul 23, 2024 · 3 comments · Fixed by #267
Closed

Support for converting manifests to in-toto statements #248

susperius opened this issue Jul 23, 2024 · 3 comments · Fixed by #267
Labels
enhancement New feature or request
Milestone
V1 release

Comments

@susperius
Copy link
Contributor

Description

Tracking bug for manifest to in-toto statement conversion.

In order to sign and store model signatures in a sigstore bundle the manifest must be converted to an in-toto statement.
@susperius susperius added the enhancement New feature or request label Jul 23, 2024
@mihaimaruseac mihaimaruseac added this to the V1 release milestone Jul 24, 2024
@mihaimaruseac
Copy link
Collaborator

Included in my draft work, will send a draft PR

mihaimaruseac added a commit to mihaimaruseac/model-transparency that referenced this issue Jul 24, 2024
@mihaimaruseac
Machinery for singing generic manifests.
e402a4b 
THIS IS DRAFT, WIP. Will split into separate PRs once it works. But
posting publicly to show what the plans are (sigstore#224, sigstore#248, sigstore#240, sigstore#111).

Signed-off-by: Mihai Maruseac <[email protected]>
@mihaimaruseac mihaimaruseac mentioned this issue Jul 24, 2024
Closed
@laurentsimon
Copy link
Collaborator

laurentsimon commented Jul 24, 2024
edited
Loading

I've had some thoughts about the intoto format. In #111, we expressed concern over listing each file as intoto subjects, because tooling like cosign can be used to (wrongly) verify only a subset of subjects. Here's an idea that may be able to address this concern:

  1. We list the (file, (custom?) hash) inside the predicate, not the intoto subject
  2. We output a single subject in the intoto subject list by serializing the list of (file, hash), like we currently do in our existing PoC. We need not serialize json (which requires canonicalization and is often a source of break across implementations), but a simple format like base64(path).hash-value as shown here. Other metadata for each file need not be serialized but are still protected by the manifest signature. Serialization schemes may vary, so we'll need a way to convey this as well. There are 2 ways to achieve this:
    a. In subject, by changing the hash scheme scheme-sha256. This is a bit harder to support with sigstore-python, unless we build the protobuf ourselves.
    b. We add the scheme type under the predicate. I lean towards this solution.

So overall it would look like the following:

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://something/model-signing/v1",
  "subject": [
    {
      "digest": 
      {
        "sha256": "blabla"
      }
    },
  ],
  "predicate": {
     "serialization": "some-name/v1",
     "files": {
           {
              "path": "to/file1",
              "digest": 
              {
                 "sha256": "bla",
              }
           },
          {
              "path": "to/file2",
              "digest":
               {
                 "custom": "bla",
              }
           },
      },
   }
}

@susperius
Copy link
Contributor Author

I agree with you. It only feels like "abusing" the format which is mostly because sigstore has hard coded the acceptable hashes in their code base.

Perhaps it would be the best to go down the route of our own format to avoid additional headache.
So we can serialize the manifest to an on disk format and utilize sigstore's hashed record. We then store the bundle and manifest together and be done with it.

mihaimaruseac added a commit to mihaimaruseac/model-transparency that referenced this issue Jul 24, 2024
@mihaimaruseac
Machinery for singing generic manifests.
c6252d4 
THIS IS DRAFT, WIP. Will split into separate PRs once it works. But
posting publicly to show what the plans are (sigstore#224, sigstore#248, sigstore#240, sigstore#111).

Signed-off-by: Mihai Maruseac <[email protected]>
mihaimaruseac added a commit to mihaimaruseac/model-transparency that referenced this issue Jul 24, 2024
@mihaimaruseac
Machinery for singing generic manifests.
4817625 
THIS IS DRAFT, WIP. Will split into separate PRs once it works. But
posting publicly to show what the plans are (sigstore#224, sigstore#248, sigstore#240, sigstore#111).

Signed-off-by: Mihai Maruseac <[email protected]>
mihaimaruseac added a commit to mihaimaruseac/model-transparency that referenced this issue Jul 24, 2024
@mihaimaruseac
Machinery for singing generic manifests.
d3d4cce 
THIS IS DRAFT, WIP. Will split into separate PRs once it works. But
posting publicly to show what the plans are (sigstore#224, sigstore#248, sigstore#240, sigstore#111).

Signed-off-by: Mihai Maruseac <[email protected]>
This was referenced Jul 27, 2024
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
V1 release
Development

Successfully merging a pull request may close this issue.

Add in-toto format with hashes of shards as subjects mihaimaruseac/model-transparency
3 participants
@mihaimaruseac @susperius @laurentsimon