Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS Support #376

Merged
merged 48 commits into from
Feb 16, 2024
Merged

KMS Support #376

merged 48 commits into from
Feb 16, 2024

Conversation

ChaosInTheCRD
Copy link
Collaborator

What this PR does / why we need it

Adds KMS Support, so you can sign and verify with KMS

Description
Before merging docs need to be written. This is also a draft PR as we are waiting for merge on in-toto/go-witness#120.

@ChaosInTheCRD
adding changes for testing kms
e6370e0 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD ChaosInTheCRD marked this pull request as ready for review February 6, 2024 16:01
@ChaosInTheCRD
Copy link
Collaborator Author

ChaosInTheCRD commented Feb 6, 2024
edited
Loading

TODO:

  • Docs
  • Ensure that appropriate options are available

@ChaosInTheCRD
Copy link
Collaborator Author

@mikhailswift @jkjell @kairoaraujo review of this would be appreciated. I am aware that builds are failing, i'll tend to this when I get a moment.

mikhailswift
mikhailswift reviewed Feb 7, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@ChaosInTheCRD ChaosInTheCRD changed the title Testing kms KMS Support Feb 8, 2024
ChaosInTheCRD and others added 24 commits February 13, 2024 17:20
@ChaosInTheCRD
implementing verifier for policy with KMS
5a54f85 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
adding changes
2ecd4a4 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
removing log
68d2595 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
saving progress
4d307e0 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@jkjell @ChaosInTheCRD
Add FOSSA license scanning
86401c7 
Signed-off-by: John Kjell <john@testifysec.com>
@jkjell @ChaosInTheCRD
Add Security MD files an add FOSSA scan badge
ec7e08e 
Signed-off-by: John Kjell <john@testifysec.com>
@jkjell @ChaosInTheCRD
Pin dependencies and restrict permissions
421693d 
Signed-off-by: John Kjell <john@testifysec.com>
@jkjell @ChaosInTheCRD
Add signing to goreleaser and Best Practices badge to readme.
718cd31 
Signed-off-by: John Kjell <john@testifysec.com>
@jkjell @ChaosInTheCRD
Add cosign install
dddfd28 
Signed-off-by: John Kjell <john@testifysec.com>
@dependabot @ChaosInTheCRD
chore: bump actions/cache from 3.3.2 to 3.3.3 (in-toto#355)
2dc9d28 
Bumps [actions/cache](https://github.com/actions/cache) from 3.3.2 to 3.3.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@704facf...e12d46a)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 (in-toto#356)
385a822 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@c7d193f...1eb3cb2)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump github/codeql-action from 3.22.12 to 3.23.0 (in-toto#357)
447de01 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.12 to 3.23.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@012739e...e5f05b8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/download-artifact from 4.1.0 to 4.1.1 (in-toto#358)
f7a02a0 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@f44cd7b...6b208ae)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@jkjell @ChaosInTheCRD
Initial attempt at PR and Issue templates (in-toto#351)
a537728 
* Initial attempt at PR and Issue templates

Signed-off-by: John Kjell <john@testifysec.com>

* Address some review feedback

Signed-off-by: John Kjell <john@testifysec.com>

---------

Signed-off-by: John Kjell <john@testifysec.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump actions/cache from 3.3.3 to 4.0.0 (in-toto#364)
99761cb 
Bumps [actions/cache](https://github.com/actions/cache) from 3.3.3 to 4.0.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@e12d46a...13aacd8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/upload-artifact from 4.1.0 to 4.2.0 (in-toto#363)
4c094f3 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@1eb3cb2...694cdab)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump github/codeql-action from 3.23.0 to 3.23.1 (in-toto#365)
e117f4b 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.0 to 3.23.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@e5f05b8...0b21cf2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/dependency-review-action from 3.1.5 to 4.0.0 (in-…
a41f691 
…toto#366)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.5 to 4.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@c74b580...4901385)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@ChaosInTheCRD
saving progress
cc2ff13 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
adding hashivault provider
4e82f5d 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 (in-toto#369)
5b33853 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@694cdab...26f96df)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump github/codeql-action from 3.23.1 to 3.23.2 (in-toto#370)
0658d4b 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.1 to 3.23.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0b21cf2...b7bf0a3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
@ChaosInTheCRD
we dont always add verifiers
8da44b5 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
preparing for draft PR
b504a0f 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
ChaosInTheCRD and others added 14 commits February 13, 2024 17:20
@ChaosInTheCRD
adding local reference to go-witnes
a6fa76d 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
added implementation for passing in extra options for the kms providers
1fd8181 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
refactors to fix provider options overwrite bug
d27cc60 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
adding hashivault provider
900494a 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
we dont always add verifiers
6cdb454 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
preparing for draft PR
4967272 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
adding local reference to go-witnes
d54e511 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump github/codeql-action from 3.23.2 to 3.24.0 (in-toto#378)
6cbf6c3 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@b7bf0a3...e8893c5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump step-security/harden-runner from 2.6.1 to 2.7.0 (in-toto#379
1030699 
)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@eb238b5...63c24ba)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
@dependabot @ChaosInTheCRD
chore: bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (in-toto#380)
06b80ff 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.3.0 to 3.4.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@9614fae...e1523de)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/download-artifact from 4.1.1 to 4.1.2 (in-toto#382)
669893b 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@6b208ae...eaceaf8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @ChaosInTheCRD
chore: bump actions/upload-artifact from 4.3.0 to 4.3.1 (in-toto#383)
95f56df 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@26f96df...5d5d22a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@ChaosInTheCRD
minor changes
91b558a 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
fixing tests
13095f1 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
Merge branch 'main' into testing-kms
8962cd8 
Signed-off-by: Tom Meadows <tom@tmlabs.co.uk>
@ChaosInTheCRD
Merge branch 'main' of github.com:in-toto/witness into testing-kms
7a3b84c 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
Merge branch 'testing-kms' of github.com:ChaosInTheCRD/witness into t…
c16fdb2 
…esting-kms

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
adding docs
d275bd8 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
Copy link
Collaborator Author

Note that tests won't pass until we merge in-toto/go-witness#120 and cut a new release of go-witness

tannerjones4075
tannerjones4075 approved these changes Feb 13, 2024
View reviewed changes
Copy link

@tannerjones4075 tannerjones4075 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed the documentation for KMS and it is thorough and well laid out. I put my stamp of approval :)

jkjell
jkjell reviewed Feb 16, 2024
View reviewed changes
Copy link
Member

@jkjell jkjell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking really good. Once we cut a go-witness release cut and the lint/testing stuff fixed up. I think this will be good to go. I'll dive into kms.md more tomorrow.

@ChaosInTheCRD
pinning to new version of go-witness
235870c 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
removing local reference to go-witness
faa5fef 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
updating Go
4f1f245 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
fixing docgen
cf6c7b6 
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
@ChaosInTheCRD
Copy link
Collaborator Author

All tests passing. Hopefully we can get this merged and a new release cut today @jkjell

@jkjell
Remove replace in go.mod and minor updates to docs
32ff6de 
Signed-off-by: John Kjell <john@testifysec.com>
@jkjell jkjell merged commit c27a4f5 into in-toto:main Feb 16, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityasaky adityasaky adityasaky left review comments

@mikhailswift mikhailswift mikhailswift left review comments

@tannerjones4075 tannerjones4075 tannerjones4075 approved these changes

@jkjell jkjell jkjell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ChaosInTheCRD @jkjell @mikhailswift @adityasaky @tannerjones4075