Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set bundleVerified to true after Rekor verification (Resolves #3740) #3745

Merged

Conversation

maxlambrecht
Copy link
Contributor

Summary

This PR addresses an issue where the bundleVerified flag was not set to true after a successful online Rekor verification. The change ensures that bundleVerified accurately reflects the verification status when Rekor lookup is used.

Resolves #3740

Release Note

Documentation

Copy link

codecov bot commented Jun 23, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.83%. Comparing base (2ef6022) to head (b62e437).
Report is 140 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3745      +/-   ##
==========================================
- Coverage   40.10%   36.83%   -3.27%     
==========================================
  Files         155      200      +45     
  Lines       10044    12233    +2189     
==========================================
+ Hits         4028     4506     +478     
- Misses       5530     7177    +1647     
- Partials      486      550      +64     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@haydentherapper
Copy link
Contributor

Thanks! Can you add a test for this? I think you just need to check what's returned by a code block like

if _, err := VerifyImageSignature(context.TODO(), ociSig, v1.Hash{}, &CheckOpts{
SigVerifier: sv,
RekorClient: mClient,
Identities: []Identity{{Subject: "subject@mail.com", Issuer: "oidc-issuer"}},
.

If adding this test isn't straightforward, that's fine, this is a simple enough change.

…e#3740)

Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
@maxlambrecht maxlambrecht force-pushed the fix-bundle-verified-flag branch from 65969ae to 8372f1a Compare June 29, 2024 22:56
@maxlambrecht
Copy link
Contributor Author

Thanks! Can you add a test for this? I think you just need to check what's returned by a code block like

if _, err := VerifyImageSignature(context.TODO(), ociSig, v1.Hash{}, &CheckOpts{
SigVerifier: sv,
RekorClient: mClient,
Identities: []Identity{{Subject: "subject@mail.com", Issuer: "oidc-issuer"}},

.

If adding this test isn't straightforward, that's fine, this is a simple enough change.

It wasn't straightforward, but I managed to add a comprehensive test covering several scenarios. I refactored the existing test, which only covered a failing validation, and combined it with other cases to ensure thorough coverage.

Let me know if you need any further adjustments or additional scenarios covered.

Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, and thanks for the tests too!

@haydentherapper haydentherapper merged commit 8b55af2 into sigstore:main Jul 1, 2024
21 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Jul 1, 2024
@mtrmac
Copy link
Contributor

mtrmac commented Jul 3, 2024

I have no particular opinion on the desired semantics of the “bundleVerified” return value [my general position is that verification should be provided a policy and, apart from debugging-only output, return a single yes/no outcome, not any details to be further interpreted] — but AFAICS this value is consumed in

ui.Infof(ctx, " - Existence of the claims in the transparency log was verified offline")
, which claims the off-line validation has succeeded.

With this PR, bundleVerified is set to true if off-line validation did not succeed, but an on-line Rekor client check did.

I don’t know which part should be adjusted, but right now the codebase seems to be inconsistent.

@haydentherapper
Copy link
Contributor

I agree, unfortunately we have inconsistencies in the codebase between what verification steps were taken and the debug output.

Even bundleVerified is misleading because we mean that we've verified Rekor, not the "bundle" aka the sig, cert and inclusion proof.

The plan is to clean all of this up with the adoption of sigstore-go as the internal API for Cosign.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

bundleVerified Flag Not Set After Successful Rekor Online Verification in Cosign
3 participants