Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose DSSE verification in the CLI #999

Closed
woodruffw opened this issue May 2, 2024 · 1 comment · Fixed by #1015
Closed

Expose DSSE verification in the CLI #999

woodruffw opened this issue May 2, 2024 · 1 comment · Fixed by #1015
Labels
component:cli CLI components component:verification Core verification functionality enhancement New feature or request
Milestone
3.0

Comments

@woodruffw
Copy link
Member

Per #628, we now have DSSE signing and verifying support in the APIs. We haven't, however, exposed it via the CLI, for a few reasons:

  1. DSSE verification isn't conceptually tied to an independent input in the way that our current sigstore verify ... commands expect: with DSSE the input is embedded in the bundle, cryptographically verified, and then returned for subsequent policy verification. If we want to expose DSSE verification in the CLI, we'll need to decide whether to accomodate that pattern or whether to restrict it (e.g. by requiring a file to verify against, which must either fully match the payload, or must match the in-toto statement's subject digest, or something else).
  2. It isn't 100% clear to me if/how we should return the verified DSSE payload: it might be binary, an in-toto statement, or something else. Maybe the CLI could only support in-toto JSON payloads.
  3. We need to figure out how to communicate the DSSE verification model to users: sigstore verify is conceptually simple ("the file has a valid signature from some identity"), while DSSE introduces the idea of "a bundle is valid if the valid payload within it matches some policy." This might confuse users who conflate "the bundle has a valid signature" with "I don't need to validate the data within the bundle."

Minimally, we could probably get away with leaving sigstore verify the way it is, but allowing a limited subset of DSSE bundles within it: ones that have an in-toto payload, which we could then verify the statement within against the digest of the independent input. This would probably cover >90% of use cases, e.g. verifying bundles from GitHub's attestation beta.
@woodruffw woodruffw added enhancement New feature or request component:cli CLI components component:verification Core verification functionality labels May 2, 2024
@woodruffw woodruffw added this to the 3.1 milestone May 9, 2024
@woodruffw
Copy link
Member Author

woodruffw commented May 13, 2024
edited
Loading

Revisiting: I think we can carve out a limited version of DSSE verification in the CLI that'll be compatible with the pre-existing CLI subcommands.

In particular: sigstore verify identity foo.txt will behave like it currently does, but will also verify DSSE entries so long as their subject matches foo.txt's hash. This is consistent with what gh attestation verify does.

CCing @di for visibility 🙂

@woodruffw woodruffw mentioned this issue May 13, 2024
Merged
@woodruffw woodruffw modified the milestones: 3.1, 3.0 May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:cli CLI components component:verification Core verification functionality enhancement New feature or request
Projects
None yet
Milestone
3.0
Development

Successfully merging a pull request may close this issue.

cli: allow DSSE verification sigstore/sigstore-python
1 participant
@woodruffw