Open semmet95 opened 2 weeks ago
Hi @semmet95!
Thank you for raising this issue. I think I understand the problem you are facing, as you said you're writing acceptance tests, are these with the intention of submitting as a PR to the repository? That sounds great if so!
The way the options for KMS providers are wired up is a little tricksy, apologies for this. You will however find some example logic of the KMS provider options getting initialized at https://github.com/in-toto/witness/blob/main/cmd/keyloader.go#L50.
There is a little bit of unwanted behaviour being experienced with KMS (e.g., https://github.com/in-toto/witness/issues/427), so it might be worth noting that I have just submitted a PR to make some changes to how these options are passed around (see https://github.com/in-toto/go-witness/pull/292).
If you want any more specific help with your work, feel free to get in contact with me on the CNCF Slack (Thomas Philip Meadows
It's also probably worth noting that I will test using Localstack at some point soon in the next day or two, and will report any issues found here.
Hey @ChaosInTheCRD
My issue was specific to setting the insecureSkipVerify
property to true and I somehow managed to find a way to do that (definitely not elegant but it seems to work 🥹).
The loadSigners
link you shared helped and I figured out that I could call the option setter function for the "kms-aws" SignerProviderOption, where the configurer name is insecure-skip-verify
, providing true
as the value for the flag.
Here's how I did it.
for _, configurer := range witnessProvider.Options["kms-aws"].Init() {
if(configurer.Name() == "insecure-skip-verify") {
optT := configurer.(*registry.ConfigOption[signer.SignerProvider, bool])
optT.Setter()(witnessProvider, true)
}
}
As for submitting a PR to the repo, I'm all for that but I'm not sure where to add what I tested. Maybe in the docs as an example?
I have been trying to setup acceptance tests for aws kms signing but I'm running into,
error for the localstack endpoint. Digging a bit deeper I found that if I hardcode
a.options.insecureSkipVerify
totrue
here the signing operation works fine. I also found this function that returns anOption
which can set theinsecureSkipVerify
property to false. But I couldn't figure out how to use it when creating a SignerProvider or a SignerVerifier.Can someone please help me with configuring this property 🙏 Thanks.