Skip to content

A minimal example of not requiring auth for some cases of gh attestation verify #8995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
steiza wants to merge 1 commit into from
Closed

A minimal example of not requiring auth for some cases of gh attestation verify #8995

steiza wants to merge 1 commit into from

Conversation

@steiza
Copy link
Contributor

@steiza steiza commented Apr 24, 2024

If the user does not supply a bundle, then we call a GitHub REST API to fetch the bundle. However, if the user does supply a bundle, gh attestation verify doesn't make any GitHub REST API calls, and so the user does not need to be authenticated.

@steiza steiza requested a review from a team as a code owner April 24, 2024 13:22
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label Apr 24, 2024
@cliAutomation
Copy link
Collaborator

cliAutomation commented Apr 24, 2024

Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

steiza
steiza commented Apr 24, 2024
View reviewed changes
pkg/cmd/attestation/verify/verify.go

authOk := cmdutil.CheckAuth(factoryConfig)
if !authOk {
return fmt.Errorf("Please supply a bundle or authenticate to gh")
Copy link
Contributor Author

@steiza steiza Apr 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about using pkg/cmd/root/help.go:authHelp() here but, (1) importing root here would create a circular dependency and (2) it's a private function. I'm open to feedback here!

Copy link
Member

@williammartin williammartin Apr 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Realistically if we go down this route I'd imagine that we have something like cmderrs package used like cmderrs.AuthRequired or something like that.

steiza added a commit to steiza/cli that referenced this pull request Apr 24, 2024
@steiza
Support offline mode for gh attestation verify
d9f7b92 
The main change is previously we always instantiated a TUF client for
the public good and GitHub Sigstore instances. Now we only instantiate
the TUF client we need, or no client if we are provided a
custom trusted root.

Note that `gh attestation verify` still requires authentication, that is
being addressed in cli#8995.

Some other changes are coming along for the ride:
- Set TUF cache validity to 1 day, to help serial verification
- Attempt to infer verification policy based on custom trusted root
- Make command output more friendly if you leave off required arguments

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza mentioned this pull request Apr 24, 2024
Merged
@andyfeller andyfeller mentioned this pull request Apr 25, 2024
Merged
@andyfeller
Copy link
Member

andyfeller commented Apr 25, 2024

@steiza @williammartin : Wanting to compare this with a generic solution, I believe #9000 could satisfy in a more generic manner. Outside of writing tests as the auth checking logic doesn't have any, I tried reproducing the user workflow using local build.

@williammartin
Copy link
Member

williammartin commented Apr 29, 2024
edited
Loading

Closing in favour of #9000, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@williammartin williammartin williammartin left review comments

Assignees

No one assigned

Labels

external pull request originating outside of the CLI core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@steiza @cliAutomation @andyfeller @williammartin