Delegate to targets/releases per extended MVP

[trishankatdatadog]

Signed-off-by: Trishank Karthik Kuppusamy trishank.kuppusamy@datadoghq.com

• [x] Reuse targets/releases key across bundles/images/repos
• [x] Investigate how to name in-toto files
• [x] Delegate bundles and links to targets/releases
• [x] Sign bundle in targets/releases
• [x] Verify bundle from targets/releases
• [x] Get the GUN, no need for tag
• [x] Sign layout and pubkeys in targets
• [x] Sign links in targets/releases
• [ ] Verify layout and pubkeys from targets
• [ ] Verify links from targets/releases
• [ ] Optional: check for duplicate links?
• [ ] Optional: pushing/pulling in-toto metadata as OCI artifacts

[trishankatdatadog]

Paging @radu-matei to take a look and help 🙂

[radu-matei]

We have two failing tests for now, which I am currently investigating:

FAIL    github.com/cnabio/signy/pkg/docker  13.762s
--- FAIL: TestVerify (0.00s)
    os_test.go:15: 
            Error Trace:    os_test.go:15
            Error:          Received unexpected error:
                            invalid metadata found: invalid scheme for key '': should be 'rsassa-pss-sha256', got: ''
            Test:           TestVerify
--- FAIL: TestValidate (0.00s)
    os_test.go:25: 
            Error Trace:    os_test.go:25
            Error:          Received unexpected error:
                            cannot load layout from file file ../../testdata/intoto/root.layout: open ../../testdata/intoto/root.layout: no such file or directory
            Test:           TestValidate
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xdaa04a]

I assume this is happening because in-toto tools are not installed by default in GitHub Actions workers.

[trishankatdatadog]

We have two failing tests for now, which I am currently investigating:

FAIL  github.com/cnabio/signy/pkg/docker  13.762s
--- FAIL: TestVerify (0.00s)
    os_test.go:15: 
          Error Trace:    os_test.go:15
          Error:          Received unexpected error:
                          invalid metadata found: invalid scheme for key '': should be 'rsassa-pss-sha256', got: ''
          Test:           TestVerify
--- FAIL: TestValidate (0.00s)
    os_test.go:25: 
          Error Trace:    os_test.go:25
          Error:          Received unexpected error:
                          cannot load layout from file file ../../testdata/intoto/root.layout: open ../../testdata/intoto/root.layout: no such file or directory
          Test:           TestValidate
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
  panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xdaa04a]

I assume this is happening because in-toto tools are not installed by default in GitHub Actions workers.

I think the second error is because the file was renamed and moved to the minimal root layout example

[radu-matei]

Ah, you're right. Changing the directory to the correct one:

--- FAIL: TestVerify (0.00s)
    os_test.go:15: 
            Error Trace:    os_test.go:15
            Error:          Received unexpected error:
                            failed verification: No signature found for key '556caebdc0877eed53d419b60eddb1e57fa773e4e31d70698b588f3e9cc48b35'
            Test:           TestVerify

[radu-matei]

Thanks for the help, @adityasaky and @trishankatdatadog! Now both verification tests are passing.

[trishankatdatadog]

Thanks for all your great comments, @carolynvs! So sorry I haven't gotten around to this yet, but been swamped with life and work. I can't promise I'll get to it this week, but please keep prodding me every two weeks as you see fit...