Support GenericSignedAttestation

[steakunderscore]

Is your feature request related to a problem? Please describe. gcloud creates attestations using the genericSignedAttestation rather than pgpSignedAttestation (docs). Kritis doesn't seem to support these attestation as there's no mention of in the repo.

Command to create such attestation:

gcloud --project="${ATTESTOR_PROJECT_ID}" beta container binauthz attestations create
    --artifact-url="${image}" \
    --attestor="projects/${ATTESTOR_PROJECT_ID}/attestors/${ATTESTOR_ID}" \
    --signature-file="${gpg_signed_payload.pgp" \
    --pgp-key-fingerprint="${pgp_key_fingerprint}"

Which produces:

[
  {
    "attestation": {
      "attestation": {
        "genericSignedAttestation": {
          "contentType": "SIMPLE_SIGNING_JSON",
          "serializedPayload": "ewogICJjcml0aWNhbCI6IHsKICAgICJpZGVudGl0eSI6IHsKICAgICAgImRvY2tlci1yZWZlcmVuY2UiOiAiZ2NyLmlvL2dvb2dsZS1zYW1wbGVzL2hlbGxvLWFwcCIKICAgIH0sCiAgICAiaW1hZ2UiOiB7CiAgICAgICJkb2NrZXItbWFuaWZlc3QtZGlnZXN0IjogInNoYTI1NjpjNjJlYWQ1YjhjMTVjMjMxZjllNzg2MjUwYjA3OTA5ZGFmNmMyNjZkMGZjZGRkOTNmZWE4ODJlYjcyMmMzYmU0IgogICAgfSwKICAgICJ0eXBlIjogIkdvb2dsZSBjbG91ZCBiaW5hdXRoeiBjb250YWluZXIgc2lnbmF0dXJlIgogIH0KfQo=",
          "signatures": [
            {
              "publicKeyId": "redacted",
              "signature": "redacted"
            }
          ]
        }
      }
    },
    "createTime": "2019-10-16T11:39:38.639322Z",
    "kind": "ATTESTATION",
    "name": "projects/tm-ginfra-project/occurrences/20ee9b9b-3afe-4d7a-96af-37973ad91a58",
    "noteName": "projects/tm-ginfra-project/notes/build-attest-note",
    "resource": {
      "uri": "https://gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4"
    }
  }
]

Describe the solution you'd like Kritis should switch to supporting these attestations too. I would also suggest that attestations Kritis creates use the new format.

Describe alternatives you've considered

Additional context The protobufs are also out of date, this might need solving first

gcloud -v
Google Cloud SDK 267.0.0
alpha 2019.10.15
beta 2019.10.15
bq 2.0.49
core 2019.10.15
gsutil 4.44
kubectl 2019.10.15

[steakunderscore]

Note that gcloud made this change in v261.0.0

[aysylu]

Hi @steakunderscore,

Kritis currently supports v1beta1 Attestations, which actually have the GenericSignedAttestation: https://github.com/grafeas/grafeas/blob/master/proto/v1beta1/attestation.proto#L172. You're right that Kritis currently doesn't demonstrate how to use them and the codebase assumes PGP signed attestation. To address this, we'd need to update the code to support GenericSignedAttestation and add documentation. Contributions are welcome!

[steakunderscore]

Hi @aysylu,

I went to take a look at this, but it seems the googleapis proto is out of sync. Then I came across this issue stating that it's an internal process to sync these.

Can you take a look in to getting these updated so we can progress on this. Thanks.

[aysylu]

Hi @steakunderscore,

Great point. I'm on it, will update this thread when it's done.

Thanks, Aysylu

[aysylu]

Hi @steakunderscore,

I'm back from vacation, continuing the work on this. Will post updates soon.

Thanks, Aysylu

[aysylu]

@steakunderscore: quick update that the final step of re-generating client libraries is WIP. I'll update this thread when it's completed.

[aysylu]

@steakunderscore: the v1beta1 go client has been updated: https://github.com/googleapis/go-genproto/pull/281. Big thanks to @jadekler for the help in the process.

There's a related issue in #427 to support the GenericSignedAttestation fully. Let's track the remaining work there, but please feel free to re-open this issue if it hasn't been fully addressed, or open a new one.

Happy holidays!

[nenaddedic]

I think that #427 doesn't cover the remaining work here. #427 is about fixing a bug in PgpSignedAttestation.

Let's reopen this issue to track the work of supporting attestations represented as GenericSignedAttestation.