Add support for sigstore

in-toto / in-toto-jenkins-plugin

A Jenkins plugin to track steps and create in-toto link metadata

MIT License

4 stars 5 forks source link

Add support for sigstore #6

Open PradyumnaKrishna opened 4 months ago

PradyumnaKrishna commented 4 months ago

This issue aims to integrate Sigstore support into the in-toto-jenkins plugin.

Description Currently, the In-toto Jenkins plugin requires users to provide either a credential ID or key path for signing the link metadata during the post-build process. The addition of Sigstore in the In-toto Jenkins plugin enables keyless signing and keyless verification of metadata. Enhance the metadata transport capabilities within in-toto-jenkins by introducing a Sigstore transport option. The Sigstore transport will facilitate the uploading of generated metadata to the Rekor transparency log.

HikaruSadashi commented 3 months ago

Hi @PradyumnaKrishna , Hi @SantiagoTorres

I just submitted a proposal for this. I would love any last-minute feedback (I can still edit before the deadline) which is in about 7 hours!

Nihit25 commented 2 months ago

Hi @PradyumnaKrishna , this project seems really interesting to me. I have been trying to understand the code since last one week. I would really like to contribute to this project in best possible ways and I'll try my best to contribute as much as possible

PradyumnaKrishna commented 1 month ago

To understand this project, you can read sigstore documentation to get started. There is a sigstore java and maven repository which might be useful for this project, try it out as well.

Nihit25 commented 1 month ago

Yes @PradyumnaKrishna , I'll definitely read sigstore documentation to get started. I'll try sigstore java and maven repository as well.

Atharva-Kanherkar commented 1 month ago

@PradyumnaKrishna Hi, do we need to submit a proposal, like action plan on handling the project, or do we need to do any pre tasks for thw project, before applying?

KiranSatyaRaj commented 1 month ago

Hey @PradyumnaKrishna - I believe InTotoRecorder and InTotoWrapper files will be updated, and a new file sigstoreTransport file in transport directory.

So using Sigstore 'KeylessSigner` we are letting the authorized pipeline user to sign the link metadata via OpenID connect (OIDC) without having them to deal with cryptographic keys
These signed artifacts and ephemeral keys are recorded in a transparency log (rektor)
And the transparency log json file, link metadata, verification options are given to the KeylessVerifier, prior to this we add the verification options I hope I understood the given problem statement. please help me If I missed any?

debayangg commented 1 month ago

@PradyumnaKrishna I have applied to contribute to this project under lfx mentorship. I have gone through the sigstore docs and now have a rough idea on how to implement the project, should I include an overview of it in the cover letter or should I explain it somewhere else?

in-toto / in-toto-jenkins-plugin

Add support for sigstore #6

And the transparency log json file, link metadata, verification options are given to the KeylessVerifier, prior to this we add the verification options I hope I understood the given problem statement. please help me If I missed any?

And the transparency log json file, link metadata, verification options are given to the `KeylessVerifier`, prior to this we add the verification options I hope I understood the given problem statement. please help me If I missed any?