Add rekor client method to upload a record #23
Conversation
loosebazooka
commented
May 19, 2022
•
loosebazooka
commented
- Also adds a cert generator to bypass fulcio/dex in testing
loosebazooka
force-pushed
the
rekor-request
branch
2 times, most recently
from
5000681 to
1864084
Compare
loosebazooka
changed the title
loosebazooka
force-pushed
the
rekor-request
branch
from
1864084 to
d00ebd7
Compare
loosebazooka
force-pushed
the
rekor-request
branch
from
d00ebd7 to
8634a7b
Compare
loosebazooka
force-pushed
the
rekor-request
branch
from
8634a7b to
5c1c8bb
Compare
- Also adds a cert generator to bypass fulcio/dex in testing Signed-off-by: Appu Goundan <appu@google.com>
loosebazooka
force-pushed
the
rekor-request
branch
from
5c1c8bb to
ef6b211
Compare
|
|
||
| public class HashedRekordRequest { | ||
|
|
||
| private final Hashedrekord hashedrekord; |
There was a problem hiding this comment.
Is the (lackof) camecase a typo here or unavoidable code gen artifact?
There was a problem hiding this comment.
hrmm... yeah I think so. It should be an internal value, so users wont see it. There's probably a way to make it more "java-like".
| * Create a new HashedRekorRequest. | ||
| * | ||
| * @param artifactDigest the sha256 digest of the artifact (not hex/base64 encoded) | ||
| * @param leafCert the leaf certificate used to verify {@code signature}, usually obtained from |
There was a problem hiding this comment.
for custom key signed artifacts (not using fulcio), is there a leaf cert to submit, or do you just use the singer's public key? It's all still a little muddled for me so asking out of curiosity,
There was a problem hiding this comment.
So presumably there's two ways to do this.
- with a certificate
- with a public key
this code just doesn't support (2) yet. But that would be a new factory method
support for public key hashedrekord: #25
| var req = HashedRekordRequest.newHashedRekordRequest(artifactDigest, cert, signature); | ||
|
|
||
| // this tests directly against rekor in staging, it's a bit hard to bring up a rekor instance | ||
| // without docker compose. |
There was a problem hiding this comment.
todo? I think Jason was working on doing this for his maven testing.
There was a problem hiding this comment.
I don't know what the right solution is. I think sigstore-scaffolding is fine, but it's super heavy weight.
Issue: #27
| /** | ||
| * A certificate generator, useful when trying to talk to rekor without actually using fulcio/oidc. | ||
| */ | ||
| public class CertGenerator { |
There was a problem hiding this comment.
ah so would this be used for the custom key flow too?
There was a problem hiding this comment.
if you use a custom key, you probably don't want a certificate -- you just use a pem encoded public key?
