Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support verifying digests in addition to artifacts #158

Merged
merged 1 commit into from
Sep 24, 2024

Conversation

facutuesca
Copy link
Contributor

@facutuesca facutuesca commented Sep 18, 2024

This PR adds support for verifying hashes (instead of files) to the CLI protocol (only when verifying bundles).

It also adapts the sigstore-python-conformance helper to support it, given sigstore-python supports verifying hashes since v3.3.0.

All the existing bundle verification tests have been parametrized to also test the hash verification, in addition to the existing Path (file) verification.

This closes #157

cc @woodruffw

test/test_bundle.py Outdated Show resolved Hide resolved
docs/cli_protocol.md Show resolved Hide resolved
test/test_bundle.py Outdated Show resolved Hide resolved
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice work @facutuesca!

This is good to go, but CCing @steiza @kommendorkapten @loosebazooka as other client maintainers who will probably want to be aware of this as it goes in -- you'll likely need to update your conformance wrappers!

@steiza
Copy link
Member

steiza commented Sep 19, 2024

Adding @bdehamer for sigstore-js.

This should be fine for sigstore-go - it's easy for us to set our verification policy accordingly. I don't think this will work with cosign, which maps verify-bundle to cosign verify-blob, which only supports URLs and files, not digests.

But that's not a problem with this pull request - we'll have to figure out how to have cosign additionally handle digests, maybe as part of the VerifierOptions @codysoyland suggested in sigstore/cosign#3879.

@woodruffw woodruffw merged commit 2c7252e into sigstore:main Sep 24, 2024
4 checks passed
@woodruffw
Copy link
Member

Thanks @facutuesca, nice work here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Conformance suite: support verifying by hash instead of file
4 participants