netlify[bot]
commented
4 months ago Deploy Preview for witness-project ready!
| Name | Link |
|---|---|
| Latest commit | f6530942c72400d00a2e059bad5fe14d7474ccd2 |
| Latest deploy log | https://app.netlify.com/sites/witness-project/deploys/66b96cefed56560008750311 |
| Deploy Preview | https://deploy-preview-484--witness-project.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
What this PR does / why we need it
During verification there is nondeterministic behavior if the flag
--verifier-kms-aws-remote-verify=[true/false]is not specified. I found that this is because there is an early return causing the default booleantruevalue to not be set for theverifyRemotelyattribute.In some instances, the first
kspin the outer loop will bekms-gcp. If using an AWS reference, then the proper verifyRemotely setter will not be run. Other times, the firstkspwill bekms-awsand the proper setter will be called.You can check this by running
witness verify --verifier-kms-ref [KMS_REF] -a [ATTESTATION] -f [ARTIFACT] -p policy.signed.jsonusing an AWS IAM account without theVerifypermission. It will succeed sometimes and fail other times.Which issue(s) this PR fixes (optional)
Acceptance Criteria Met
Special notes for your reviewer: