search

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
https://witness.dev
Apache License 2.0
416 stars 60 forks source link

Fixing CA Path Flag to be used and adding policy timestamp server flag #353

Closed ChaosInTheCRD closed 6 months ago

ChaosInTheCRD commented 10 months ago

This PR contains a fix for the noticed bug that was discovered in that vo.PolicyCAPaths was not used in the Verify function. Note that this change working correctly is dependent on changes to https://github.com/in-toto/go-witness.

The other half of this PR focuses on allowing users to sign their policy a timestamp authority, and if they have done so, allow them to supply the CA certificate of the timestamp authority server for use in the policy verification flow. Once again this change is dependent on changes to go-witness.

This PR depends on https://github.com/in-toto/go-witness/pull/124

jkjell commented 10 months ago

Can we add the same additional flags that Sigstore uses? https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect

--certificate-identity=name@example.com and --certificate-oidc-issuer=https://accounts.example.com

ChaosInTheCRD commented 10 months ago

This PR is dependent on https://github.com/in-toto/go-witness/pull/144

mikhailswift commented 9 months ago

114's been merged, can we get this updated and ready for final review?

jkjell commented 9 months ago

@ChaosInTheCRD I've been thinking a bit about this and I think this might be a blocker for this PR. One of the critical things to verify on a Fulcio cert is the Issuer, which is an extension we don't support yet.

ChaosInTheCRD commented 9 months ago

@jkjell good that you noted these custom cert extensions and I certainly think we should follow up with work to support them. However, that work is relevant to https://github.com/in-toto/go-witness, and moreover this work specifically aims to bring policy signature verification logic up to scratch with what we are currently able to use to verify attestation signatures.

Provided you're happy, I suggest we merge this PR for now. We then follow up with subsequent PRs in https://github.com/in-toto/go-witness and then finally implement it here in https://github.com/in-toto/witness.

Note that (I probably sound like a broken record, but) we need to consider how these extra custom extensions might affect the total number of flags. I think as an MVP just adding them will be fine, but I think some consideration into how we could potentially consolidate them might be worthwhile.

ChaosInTheCRD commented 9 months ago

What I will say however, is if you think this is high priority enough, I can expedite this and we can try and bundle it into this PR.

netlify[bot] commented 9 months ago

Deploy Preview for witness-project canceled.

Name Link
Latest commit 6e5265eecfe0d0612e93381ca90f328d249b9d51
Latest deploy log https://app.netlify.com/sites/witness-project/deploys/6645f4245214d00008542978
jkjell commented 7 months ago

Looks like we're missing a couple of test files: ./test/policy-signed.json and ./test/policy.json.

ChaosInTheCRD commented 7 months ago

I need to loop back over this so we can get it ready for merge. This includes factoring in https://github.com/in-toto/go-witness/pull/174