Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signature-verification: accommodate changes in cosign cli behavior and add tldr #334

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

mohammed90
Copy link
Member

@mohammed90 mohammed90 commented Jul 30, 2023

TODO:

  • Figure out how to fetch UUID of tlog entry using cosign to retain the multi-perspective verification

This is how the tldr looks

image

Closes #312

…d add tldr

Closes TL;DR needed for Signature Verification page #312
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
@francislavoie
Copy link
Member

I'd maybe add spaces in front of each line of the command for alignment, similar to https://caddyserver.com/docs/running#usage

@mohammed90
Copy link
Member Author

Notes to come back to to finish this PR:

  • The command rekor-cli search --artifact ./{artifact} --format json, returns {"UUIDs":["uuid-value"]}
  • The command rekor-cli get --uuid {output-from-previous} --format json gives this output:
{
    "Attestation": "",
    "AttestationType": "",
    "Body": {
        "HashedRekordObj": {
            "data": {
                "hash": {
                    "algorithm": "sha256",
                    "value": "7807ee6fcade5e48981fa1f41d5f72ca628cd0dcdaab79cdfe0a49909f606466"
                }
            },
            "signature": {
                "content": "MEUCIFYLRP5bkLk1LurwH6lGBqaU/kOS16s0tbJW+ImlD6TNAiEAmvE6/bvmb94hbGfaA34AOIRnytct6Uj+zikxIm4GACE=",
                "publicKey": {
                    "content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdxekNDQmpHZ0F3SUJBZ0lVT1VBZmV3ZHpMKzZqdWpjTnJDbzdQcVlQRTNjd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpReE1qTXhNVGN4T0RVMVdoY05NalF4TWpNeE1UY3lPRFUxV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVXV0FZNHl6b1VMa05hTit0Rm9QN29mVHF0VzYwT2VPTVJaY2MKM0s4MHphWnlPdkV2azR6cUx1Y2FYTFBmd0xoRDN0TnBNRG9JS3d2RXVyVzhEZWZ3anFPQ0JWQXdnZ1ZNTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVUxRVpCClBwK2hoKzJkeTF6TEdURVNuYk9hUmJFd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1lRWURWUjBSQVFIL0JGY3dWWVpUYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJOaFpHUjVjMlZ5ZG1WeQpMMk5oWkdSNUx5NW5hWFJvZFdJdmQyOXlhMlpzYjNkekwzSmxiR1ZoYzJVdWVXMXNRSEpsWm5NdmRHRm5jeTkyCk1pNDVMakF3T1FZS0t3WUJCQUdEdnpBQkFRUXJhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDEKWW5WelpYSmpiMjUwWlc1MExtTnZiVEFTQmdvckJnRUVBWU8vTUFFQ0JBUndkWE5vTURZR0Npc0dBUVFCZzc4dwpBUU1FS0RObU0yWTRZak5rTlRJM01HRmtaRFEyWkRWbVl6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGUVlLCkt3WUJCQUdEdnpBQkJBUUhVbVZzWldGelpUQWZCZ29yQmdFRUFZTy9NQUVGQkJGallXUmtlWE5sY25abGNpOWoKWVdSa2VUQWVCZ29yQmdFRUFZTy9NQUVHQkJCeVpXWnpMM1JoWjNNdmRqSXVPUzR3TURzR0Npc0dBUVFCZzc4dwpBUWdFTFF3cmFIUjBjSE02THk5MGIydGxiaTVoWTNScGIyNXpMbWRwZEdoMVluVnpaWEpqYjI1MFpXNTBMbU52CmJUQmpCZ29yQmdFRUFZTy9NQUVKQkZVTVUyaDBkSEJ6T2k4dloybDBhSFZpTG1OdmJTOWpZV1JrZVhObGNuWmwKY2k5allXUmtlUzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTl5Wld4bFlYTmxMbmx0YkVCeVpXWnpMM1JoWjNNdgpkakl1T1M0d01EZ0dDaXNHQVFRQmc3OHdBUW9FS2d3b00yWXpaamhpTTJRMU1qY3dZV1JrTkRaa05XWmpOMlE1Ck9XSmtZMk0zTURWaFpESmtOV1JtTkRBZEJnb3JCZ0VFQVlPL01BRUxCQThNRFdkcGRHaDFZaTFvYjNOMFpXUXcKTkFZS0t3WUJCQUdEdnpBQkRBUW1EQ1JvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHpaWEoyWlhJdgpZMkZrWkhrd09BWUtLd1lCQkFHRHZ6QUJEUVFxRENnelpqTm1PR0l6WkRVeU56QmhaR1EwTm1RMVptTTNaRGs1ClltUmpZemN3TldGa01tUTFaR1kwTUNBR0Npc0dBUVFCZzc4d0FRNEVFZ3dRY21WbWN5OTBZV2R6TDNZeUxqa3UKTURBWUJnb3JCZ0VFQVlPL01BRVBCQW9NQ0RJNU1qQTNOakl4TUM0R0Npc0dBUVFCZzc4d0FSQUVJQXdlYUhSMApjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlNQmdHQ2lzR0FRUUJnNzh3QVJFRUNnd0lNVEk1Ck5UVTFNamd3WXdZS0t3WUJCQUdEdnpBQkVnUlZERk5vZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHoKWlhKMlpYSXZZMkZrWkhrdkxtZHBkR2gxWWk5M2IzSnJabXh2ZDNNdmNtVnNaV0Z6WlM1NWJXeEFjbVZtY3k5MApZV2R6TDNZeUxqa3VNREE0QmdvckJnRUVBWU8vTUFFVEJDb01LRE5tTTJZNFlqTmtOVEkzTUdGa1pEUTJaRFZtCll6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGQVlLS3dZQkJBR0R2ekFCRkFRR0RBUndkWE5vTUZnR0Npc0cKQVFRQmc3OHdBUlVFU2d4SWFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlMMk5oWkdSNQpMMkZqZEdsdmJuTXZjblZ1Y3k4eE1qVTJNakEzTnpNek5pOWhkSFJsYlhCMGN5OHhNQllHQ2lzR0FRUUJnNzh3CkFSWUVDQXdHY0hWaWJHbGpNSUdLQmdvckJnRUVBZFo1QWdRQ0JId0VlZ0I0QUhZQTNUMHdhc2JIRVRKakdSNGMKbVdjM0FxSktYcmplUEszL2g0cHlnQzhwN280QUFBR1VIYnBJdGdBQUJBTUFSekJGQWlFQTJoMlZ1Q0tCNWFCYQo2WTJreXpKb3FFSFUvNVNhUlY5UTRKR2NCaGwyN1JNQ0lBN2hMYkVjeGpJaEFWZlBVSy9TRlJZc093bmg3VkJGCmxaZkxOZTg5bkhTVE1Bb0dDQ3FHU000OUJBTURBMmdBTUdVQ01RRGlJTVNhaC8wQ3h4U2tSN28ybjBDL2hnbEUKR1RZcjY1K2taeHp2emZEL2I1UmNiM2llQXZSZHhreE1vUWhUUHNJQ01Ia2FPb25WRVRXNjVrTXIvMi9HckppVgp1UEVmeEUzTjFCWnY5TUpJOXJvY01Ud294akVBdkpjU1p5VGFIZ0k1cmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
                }
            }
        }
    },
    "LogIndex": 158520902,
    "IntegratedTime": 1735665535,
    "UUID": "108e9186e8c5677a3cb05e97b8ef81ac76d9e2d7e2ac4f2c36628c71ab3b2432804b19386e2de964",
    "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

The value of Body.signature.publicKey.content is the base64 of the certificate generated by cosign in CI/CD pipeline.

I think this closes the verification loop and confirms the blob signature and transparency entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

TL;DR needed for Signature Verification page
3 participants