Open semmet95 opened 4 weeks ago
FYI: The crypto interface used by the Python in-toto implementation provides an AWSSigner: https://github.com/secure-systems-lab/securesystemslib/blob/main/securesystemslib/signer/_aws_signer.py
Maybe this could be ported to go. Here are some additional infos about the Signer API: https://python-securesystemslib.readthedocs.io/en/latest/signer.html
I also want to loop in @jkjell here. I think in-toto/witness has support for signing using AWS KMS, and I wonder if using that is an option for you @semmet95? We're working behind the scenes to consolidate in-toto-golang's functionality into witness going forward.
@lukpueh hmm, so does that mean writing different implementations of signing the payload, and storing a field, signer
, in the Envelope
struct, and initialising it based whatever type of signer you want to use?
@adityasaky yes I was also wondering if witness AWS KMS support would be added to in-toto-golang. One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.
@lukpueh hmm, so does that mean writing different implementations of signing the payload,
Yes.
and storing a field,
signer
, in theEnvelope
struct, and initialising it based whatever type of signer you want to use?
No.
I haven't looked at the dsse implementation in in-toto-golang in detail, but the following design worked well for us on the Python side:
IIRC go-securesystemslib has a similar design.
Hey @semmet95! 👋 With respect to your question:
One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.
witness
has a link attestor option that can output a standard DSSE. I don't think we've done an exact comparison between the generated attestations of each but, if there are differences, we can probably resolve them pretty quickly in Witness.
Hi @jkjell I'm concerned about the attestation format because my use case also involves ingesting these envelopes using GUAC. I'll check and get back to you about this.
Hi @adityasaky I'm wondering if you guys have any timeline regarding consolidating in-toto-golang's functionality into witness 🤔 Also, this means we can completely replace in-toto-golang with witness right?
Hi,
I'm currently using
in-toto-golang
to generate an attested dsse envelope, signing it with a locally generated key. I'd like to sign the envelope using a key stored in AWS KMS. From what I could figure out this would probably require using aws sdk, kms client to be more specific. I'm not completely sure on how to add this feature, if someone can guide me I'll be happy to contribute.If anyone knows a workaround on how I can use KMS keys with
in-toto-golang
I'd love to know that too.