This is a solid but temporary fix, the functionality in this PR will be moved to openvex/discoery and an upcoming trust module but it should do the work while we finish those new modules.
The summary of changes
We now upload the signatures to rekor
Results of signing operation and appending to the tlog are now recorded in the attestation struct
We now add the needed OCI annotations when attaching images to enable keyless verification
Register the signature data to Rekor
After signing, we now register the signature in the sigstore transparency
log. This is essential to allow for keyless verification.
New SignatureData Field
The attestation now has a new SignatureData field that captures the results
of the signing operation. This is required to make data like the cert and the
proof of inclusion available externally (eg to record them in oci annotations).
The attestation.Sign() method has been heavily refactored but should be simppler
as the work it does is now broken into three internal functions:
This commit modifies the attachAttestation function of the vexctl
implementation to add the OCI annotations required to keylessly
verify OpenVEX attestations.
TLDR
This is a large PR that fixes keyless verification of the OpenVEX attestations as reported in https://github.com/openvex/vexctl/issues/143
This is a solid but temporary fix, the functionality in this PR will be moved to
openvex/discoery
and an upcoming trust module but it should do the work while we finish those new modules.The summary of changes
Commit 4e44f2164899c1a7e38880c79d185ec79eb236d3: Refactor attestation.Sign() + Tlog append
The main goal is to add two missing features:
Register the signature data to Rekor
After signing, we now register the signature in the sigstore transparency log. This is essential to allow for keyless verification.
New SignatureData Field
The attestation now has a new SignatureData field that captures the results of the signing operation. This is required to make data like the cert and the proof of inclusion available externally (eg to record them in oci annotations).
The
attestation.Sign()
method has been heavily refactored but should be simppler as the work it does is now broken into three internal functions:initSigning
: creates context and optionssignAttestation
: Performs the actual signingappendSignatureDataToTLog
: Uploads data to rekorCommit 5aa0d4485f6e8c38e88456fa35e3b08aca626e12: OCI Annotations
This commit modifies the attachAttestation function of the vexctl implementation to add the OCI annotations required to keylessly verify OpenVEX attestations.
/cc @cpanato Fixes #143
Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev