search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

`vexctl attest --sign` doesn't create a verifiable attestation #143

Closed dhaus67 closed 9 months ago

dhaus67 commented 9 months ago

Description

When calling vexctl attest --sign --attach report.vex.json, the attached attestation seemingly cannot be verified via cosign verify-attestion.

Repro steps:

  1. Create a sample report with some data:

    {
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-f7c629e617119c33512cc55395988295b80d3a450266c8399927a6fec323520d",
"author": "dhaus",
"timestamp": "2023-12-05T03:51:30.679763+01:00",
"version": 1,
"statements": [
{
  "vulnerability": {
    "name": "CVE-2022-1304"
  },
  "timestamp": "2023-12-05T03:51:30.679765+01:00",
  "products": [
    {
      "@id": "pkg:oci/openvex@sha256:a97a153152fcd6410bdf4fb64f5622ecf97a753f07dcc89dab14509d059736cf?repository_url=docker.io/daha97&tag=1.23.4"
    }
  ],
  "status": "not_affected",
  "justification": "vulnerable_code_not_in_execute_path",
  "impact_statement": "nothing"
}
]
}

  2. Attach and sign the report going through the signing flow

    
vexctl attest --attach --sign vex.json

Generating ephemeral keys... Retrieving signed certificate... ... Successfully verified SCT...


3. Attempt to verify the attestation

cosign verify-attestation docker.io/daha97/openvex:1.23.4 --certificate-identity="..." --certificate-oidc-issuer=https://github.com/login/oauth

Error: no matching attestations: nil certificate provided main.go:74: error during command execution: no matching attestations: nil certificate provided


Looking at the manifest attestation in the registry, no additional annotations are set:

{ "mediaType": "application/vnd.dsse.envelope.v1+json", "digest": "sha256:49709de8de52ec1ecb610900e2066e557edba647d70944461caaba47cf14b4dd", "size": 1724, "annotations": { "dev.cosignproject.cosign/signature": "" } }


Workaround for this:

Creating the vex report but using `cosign` to attach the report instead of `vexctl attest --attach` works:

cosign attest --type custom --predicate vex.json docker.io/daha97/openvex:1.23.4

Generating ephemeral keys... Retrieving signed certificate... Successfully verified SCT...

cosign verify-attestation docker.io/daha97/openvex:1.23.4 --certificate-identity="..." --certificate-oidc-issuer=https://github.com/login/oauth


Also, the annotations are now correctly set:

{ "mediaType": "application/vnd.dsse.envelope.v1+json", "digest": "sha256:50375613538f8b551ed758fb014d0832cdb1343f18b94bbc627e7d01cb7fc40c", "size": 1684, "annotations": { "predicateType": "https://cosign.sigstore.dev/attestation/v1", "dev.cosignproject.cosign/signature": "", "dev.sigstore.cosign/bundle": "...", "dev.sigstore.cosign/certificate": "...", "dev.sigstore.cosign/chain": "..." } }



Sample attestation manifest containing both predicates: https://oci.dag.dev/?image=daha97%2Fopenvex%3Asha256-a97a153152fcd6410bdf4fb64f5622ecf97a753f07dcc89dab14509d059736cf.att

Maybe I'm also doing something wrong, but seemingly cannot get it to work with `vexctl attest --attach --sign`.
puerco commented 9 months ago

Thanks for the detailed report @dhaus67! I was able to reproduce this, I'm working on a fix.