Closed laurentsimon closed 9 months ago
@trishankatdatadog PTAL
I like that you used the dsselib.EnvelopeVerifier
interface.
Could you maybe add a bit more in the PR description as to what this PR is doing? esp. that this is adding support for IEEE P1363 formatted signatures.
Can confirm the patch works:
➜ slsa-verifier git:(fix/npm-publish-sig) SLSA_VERIFIER_EXPERIMENTAL=1 go run ./cli/slsa-verifier verify-npm-package ~/GitHub.com/trishankatdatadog/hekate/supreme-goggles.tgz \
--attestations-path ~/GitHub.com/trishankatdatadog/hekate/attestations.json \
--builder-id "https://github.com/actions/runner/github-hosted" \
--package-name "@trishankatdatadog/supreme-goggles" \
--package-version 1.0.5 \
--source-uri github.com/trishankatdatadog/supreme-goggles
Verified build using builder https://github.com/actions/runner/github-hosted at commit 38ebf99444e033b2f1550c9aaaeacd62d02a12ba
Verifying npm package /Users/trishank.kuppusamy/GitHub.com/trishankatdatadog/hekate/supreme-goggles.tgz: FAILED: invalid signature: accepted signatures do not match threshold, Found: 0, Expected 1
FAILED: SLSA verification failed: invalid signature: accepted signatures do not match threshold, Found: 0, Expected 1
exit status 1
Will try to review code ASAP. Thanks for fixing this!
LGTM, could use another pair of eyes to see whether I missed anything, thx!
@ianlewis provided a good review already. Waiting for his LGTM too. Thanks again!
Just to double-check: we do verify that the observed artefact digest does match the expected subject digest in both the provenance and publish attestations, correct?
Just to double-check: we do verify that the observed artefact digest does match the expected subject digest in both the provenance and publish attestations, correct?
yes
yes
Sorry to press you, but is there a test to this effect? I may have missed it...
yes
Sorry to press you, but is there a test to this effect? I may have missed it...
the tests are not part of this PR. They are present in the rest of the code.