Skip to content

feat: fixes #547: add npm sigstore-tuf suport#731

Merged
ramonpetgrave64 merged 7 commits intoslsa-framework:mainfrom
ramonpetgrave64:ramonpetgrave64-npm-tuf
Apr 16, 2024
Merged

feat: fixes #547: add npm sigstore-tuf suport#731
ramonpetgrave64 merged 7 commits intoslsa-framework:mainfrom
ramonpetgrave64:ramonpetgrave64-npm-tuf

Conversation

@ramonpetgrave64
Copy link
Copy Markdown
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Jan 10, 2024
edited
Loading

Addresses: #547

Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root.

This PR

  • dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.
  • uses an updated (pending) sigstore-go library that allows us to fetch a signed and verified copy of the same key.

@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from c3c9feb to 17e2f5c Compare January 10, 2024 17:32
@ramonpetgrave64 ramonpetgrave64 changed the title Feat: fixes #547: add npm sigstore-tuf suport feat: fixes #547: add npm sigstore-tuf suport Jan 10, 2024
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jan 10, 2024
Closed
@ramonpetgrave64
Copy link
Copy Markdown
Contributor Author

ramonpetgrave64 commented Jan 10, 2024

@laurentsimon please take a look

@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jan 10, 2024
Merged
3 tasks
laurentsimon
laurentsimon approved these changes Jan 10, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nits, but LGTM. Thank you!

go.mod Outdated
)

// use the pending PR #41 branch tuf-client-2
replace github.com/sigstore/sigstore-go => github.com/sigstore/sigstore-go v0.0.0-20231222133331-d489b534902f
Copy link
Copy Markdown
Contributor

@laurentsimon laurentsimon Jan 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to you: don't forget to replace before merging

Copy link
Copy Markdown
Contributor Author

@ramonpetgrave64 ramonpetgrave64 Feb 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's now using an official release of sigstore/sigstore-go@0.2.0, so I think we're ready to merge @laurentsimon @ianlewis

laurentsimon
laurentsimon reviewed Jan 10, 2024
View reviewed changes
ianlewis
ianlewis reviewed Jan 18, 2024
View reviewed changes
laurentsimon
laurentsimon reviewed Jan 18, 2024
View reviewed changes
laurentsimon
laurentsimon reviewed Jan 18, 2024
View reviewed changes
ianlewis
ianlewis approved these changes Jan 24, 2024
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review February 13, 2024 18:25
ianlewis
ianlewis approved these changes Apr 5, 2024
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 marked this pull request as draft April 5, 2024 14:47
@ramonpetgrave64 ramonpetgrave64 deleted the ramonpetgrave64-npm-tuf branch April 8, 2024 15:10
@ramonpetgrave64 ramonpetgrave64 restored the ramonpetgrave64-npm-tuf branch April 8, 2024 15:10
@ramonpetgrave64
Copy link
Copy Markdown
Contributor Author

ramonpetgrave64 commented Apr 10, 2024

I've updated the PR to dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review April 10, 2024 19:05
@ramonpetgrave64 ramonpetgrave64 marked this pull request as draft April 10, 2024 19:31
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from dfc1274 to 7d6ef52 Compare April 10, 2024 19:32
@ramonpetgrave64
get npmjs key from sigstore tuf
230ea37 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-npm-tuf branch from 7d6ef52 to 230ea37 Compare April 10, 2024 20:06
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review April 10, 2024 20:25
laurentsimon
laurentsimon approved these changes Apr 11, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@haydentherapper if you have comments let us know

verifiers/internal/gha/npm_sigstore_tuf.go
func getKeyDataWithNpmjsKeysTarget(keys *npmjsKeysTarget, keyID, keyUsage string) (string, error) {
for _, key := range keys.Keys {
if key.KeyID == keyID && key.KeyUsage == keyUsage {
return key.PublicKey.RawBytes, nil
Copy link
Copy Markdown
Contributor

@laurentsimon laurentsimon Apr 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose that's where we should eventually get the TUF validity period and validate against rekor entry. Let's create a tracking issue to do that both here and in Fulcio cert verification (leaf cert period verification and rekor entry timestamp)
/cc @haydentherapper

Copy link
Copy Markdown
Collaborator

@Hayden-IO Hayden-IO Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, for example it's done for Rekor like so - https://github.com/sigstore/sigstore-go/blob/main/pkg/tlog/entry.go#L274-L277

you should be able to check the attestation against the npm key validity period too - https://github.com/sigstore/root-signing/blob/main/repository/repository/targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json#L9-L11

Copy link
Copy Markdown
Contributor Author

@ramonpetgrave64 ramonpetgrave64 Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, I created the issue to track #757

@laurentsimon
Copy link
Copy Markdown
Contributor

laurentsimon commented Apr 12, 2024

@ramonpetgrave64 feel free to merge after addressing the few nits. Please create a tracking issue for the TUF verification discussed in #731 (comment). Thanks for the PR!

@ramonpetgrave64
hint for the the budle verification material public key
11e0c88 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add comments about before and after key retrieval
fdbab32 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
remove unneeded variable
c2e9a55 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
use %q for error message
ee33086 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Apr 16, 2024
Open
@ramonpetgrave64
edit comment into a TODO
2456885 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
gofmt
b8872fe 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 enabled auto-merge (squash) April 16, 2024 17:09
@ramonpetgrave64 ramonpetgrave64 merged commit 8c9ed07 into slsa-framework:main Apr 16, 2024
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jul 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hayden-IO Hayden-IO Hayden-IO left review comments

@ianlewis ianlewis ianlewis approved these changes

@laurentsimon laurentsimon laurentsimon approved these changes

@kpk47 kpk47 Awaiting requested review from kpk47

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ramonpetgrave64 @laurentsimon @ianlewis @Hayden-IO