search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
109 stars 21 forks source link

Fix keyless verification of openvex attesatations #147

Closed puerco closed 9 months ago

puerco commented 9 months ago

TLDR

This is a large PR that fixes keyless verification of the OpenVEX attestations as reported in https://github.com/openvex/vexctl/issues/143

This is a solid but temporary fix, the functionality in this PR will be moved to openvex/discoery and an upcoming trust module but it should do the work while we finish those new modules.

The summary of changes

  1. We now upload the signatures to rekor
  2. Results of signing operation and appending to the tlog are now recorded in the attestation struct
  3. We now add the needed OCI annotations when attaching images to enable keyless verification

Commit 4e44f2164899c1a7e38880c79d185ec79eb236d3: Refactor attestation.Sign() + Tlog append

The main goal is to add two missing features:

  1. Register the signature data to Rekor
    After signing, we now register the signature in the sigstore transparency log. This is essential to allow for keyless verification.

  2. New SignatureData Field
    The attestation now has a new SignatureData field that captures the results of the signing operation. This is required to make data like the cert and the proof of inclusion available externally (eg to record them in oci annotations).

The attestation.Sign() method has been heavily refactored but should be simppler as the work it does is now broken into three internal functions:

Commit 5aa0d4485f6e8c38e88456fa35e3b08aca626e12: OCI Annotations

This commit modifies the attachAttestation function of the vexctl implementation to add the OCI annotations required to keylessly verify OpenVEX attestations.

/cc @cpanato Fixes #143

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

puerco commented 9 months ago

cosign verify attestation now works

image

cpanato commented 9 months ago

thanks