Closed laurentsimon closed 12 months ago
Any thoughts on the first bullet? I'm not sure we can tests it in the regression part of the test.
Any thoughts on the first bullet? I'm not sure we can tests it in the regression part of the test.
Yes, we certainly shouldn't have npm publish a known bad attestation to this effect. We also probably don't want to maintain a test key in the code, and acting conditionally. What about tampering during a test with a known attestation but mocking the signature verification for checking the bad digest alone?
the code currently does not allow mocking / ignoring / passing a custom pubKey for signature verification.
the code currently does not allow mocking / ignoring / passing a custom pubKey for signature verification.
Right: maybe our best bet is to parameterise the public key used for verification.
the code currently does not allow mocking / ignoring / passing a custom pubKey for signature verification.
Right: maybe our best bet is to parameterise the public key used for verification.
yes we can do that. It needs to be an internal API and should not be exposed to end-users.
Created https://github.com/slsa-framework/slsa-verifier/issues/709 for tracking the part on mocking sig verification.
I pressed the merge button by mistake in https://github.com/slsa-framework/slsa-verifier/pull/705. There were unresolved comments:
@trishankatdatadog @ianlewis