Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor verifyNewBundle into library function #4013

Merged
merged 14 commits into from
Feb 7, 2025
Merged

Refactor verifyNewBundle into library function #4013

merged 14 commits into from
Feb 7, 2025

Conversation

codysoyland
Copy link
Member

@codysoyland codysoyland commented Jan 14, 2025
edited
Loading

Summary

This is a refactor of the bundle verification logic that replaces verifyNewBundle with a re-written library function cosign.VerifyNewBundle, which accepts a simplified set of arguments, using CheckOpts to supply the majority of the configuration. It has been moved out of the cli package into the cosign package and made public.

This is partially extracted from #3889.

Release Note

Documentation

@codecov Codecov
Copy link

codecov bot commented Jan 14, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 48.57143% with 108 lines in your changes missing coverage. Please review.

Project coverage is 36.84%. Comparing base (2ef6022) to head (cf47c49).
Report is 299 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/verify/verify_blob.go 38.37% 43 Missing and 10 partials ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 39.28% 28 Missing and 6 partials ⚠️
pkg/cosign/verify.go 74.13% 10 Missing and 5 partials ⚠️
pkg/cosign/verify_bundle.go 40.00% 4 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4013      +/-   ##
==========================================
- Coverage   40.10%   36.84%   -3.26%     
==========================================
  Files         155      210      +55     
  Lines       10044    13356    +3312     
==========================================
+ Hits         4028     4921     +893     
- Misses       5530     7817    +2287     
- Partials      486      618     +132

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codysoyland codysoyland marked this pull request as ready for review January 21, 2025 21:06
@codysoyland codysoyland changed the title [DRAFT] Refactor verifyNewBundle into library function Refactor verifyNewBundle into library function Jan 21, 2025
@codysoyland codysoyland mentioned this pull request Jan 22, 2025
Open
@codysoyland
Copy link
Member Author

@haydentherapper @cmurphy @steiza I would appreciate a look at this whenever you have a moment!

steiza
steiza reviewed Jan 23, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I don't have any further comments other than the things already raised by @malancas.

cmd/cosign/cli/verify/verify_blob_attestation.go Show resolved Hide resolved
@codysoyland
Copy link
Member Author

I will take a look at the conformance failures Monday. Thanks all!

malancas
malancas approved these changes Jan 29, 2025
View reviewed changes
Copy link

@malancas malancas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@haydentherapper
Copy link
Contributor

Needs a rebase to fix the tests that didn't run

@codysoyland
Add new func cosign.VerifyNewBundle which invokes sigstore-go verifier
ea79ec8 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Refactor verify-blob to use cosign.VerifyNewBundle
4dfdba2 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Refactor verify-blob-attestation to use cosign.VerifyNewBundle
977fd4c 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Add more tests
7090783 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Remove old verifyNewBundle
d732e2e 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Add support for verifying by payload digest and custom trusted root
f7531ca 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Add support for custom trusted root path in verify-blob-attestation
490802a 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Fix logic: require none of these fields to be set
32bc334 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Remove RekorURL from list of checked flags
4fe910b 
This var has a default value so shouldn't be checked

Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Fix a couple of tests
4a08df9 
These tests are incorrect: they set the signature field which is not allowed when doing bundle verification. Previously they were passing due to logic errors.

Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland codysoyland force-pushed the verify-new-bundle-refactor branch from 5932f1f to 4a08df9 Compare February 5, 2025 19:05
@codysoyland codysoyland requested a review from a team as a code owner February 5, 2025 19:05
cmurphy
cmurphy reviewed Feb 6, 2025
View reviewed changes
Copy link
Contributor

@cmurphy cmurphy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally lgtm, couple minor questions and a typo

pkg/cosign/verify.go Outdated Show resolved Hide resolved
pkg/cosign/verify.go Show resolved Hide resolved
pkg/cosign/verify.go Show resolved Hide resolved
@codysoyland @cmurphy
Update pkg/cosign/verify.go
a3871df 
Co-authored-by: Colleen Murphy <cmurphy@users.noreply.github.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
haydentherapper
haydentherapper reviewed Feb 7, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few small nits, looks great!

cmd/cosign/cli/verify/verify_bundle.go

return sev.Verify(bundle, verify.NewPolicy(artifactOpt, identityPolicies...))
}

func AssembleNewBundle(ctx context.Context, sigBytes, signedTimestamp []byte, envelope *dsse.Envelope, artifactRef string, cert *x509.Certificate, ignoreTlog bool, sigVerifier signature.Verifier, pkOpts []signature.PublicKeyOption, rekorClient *client.Rekor) (*sgbundle.Bundle, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a later PR, we should move this to somewhere under pkg/ rather than be under the cli package. It looks like this is only used by the cosign bundle command.

cmd/cosign/cli/verify/verify_blob_attestation.go Show resolved Hide resolved
cmd/cosign/cli/verify/verify_blob.go Outdated Show resolved Hide resolved
@codysoyland
Remove unneeded log
a5bb207 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Do not allow --trusted-root flag without --new-bundle-format
a06f0eb 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland
Ignore context param
cf47c49 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland codysoyland merged commit 737c83c into sigstore:main Feb 7, 2025
29 checks passed
@codysoyland codysoyland deleted the verify-new-bundle-refactor branch February 7, 2025 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steiza steiza steiza left review comments

@cmurphy cmurphy cmurphy left review comments

@haydentherapper haydentherapper haydentherapper approved these changes

@malancas malancas malancas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@codysoyland @haydentherapper @steiza @cmurphy @malancas