feat: fixes #547: add npm sigstore-tuf suport #731
Conversation
ramonpetgrave64
force-pushed
the
ramonpetgrave64-npm-tuf
branch
from
c3c9feb
to
17e2f5c
Compare
ramonpetgrave64
changed the title
|
@laurentsimon please take a look |
go.mod
Outdated
| ) | ||
|
|
||
| // use the pending PR #41 branch tuf-client-2 | ||
| replace github.com/sigstore/sigstore-go => github.com/sigstore/sigstore-go v0.0.0-20231222133331-d489b534902f |
There was a problem hiding this comment.
note to you: don't forget to replace before merging
There was a problem hiding this comment.
It's now using an official release of sigstore/sigstore-go@0.2.0, so I think we're ready to merge @laurentsimon @ianlewis
|
I've updated the PR to dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid. |
ramonpetgrave64
force-pushed
the
ramonpetgrave64-npm-tuf
branch
from
dfc1274
to
7d6ef52
Compare
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
ramonpetgrave64
force-pushed
the
ramonpetgrave64-npm-tuf
branch
from
7d6ef52
to
230ea37
Compare
There was a problem hiding this comment.
LGTM, thanks!
@haydentherapper if you have comments let us know
| func getKeyDataWithNpmjsKeysTarget(keys *npmjsKeysTarget, keyID, keyUsage string) (string, error) { | ||
| for _, key := range keys.Keys { | ||
| if key.KeyID == keyID && key.KeyUsage == keyUsage { | ||
| return key.PublicKey.RawBytes, nil |
There was a problem hiding this comment.
I suppose that's where we should eventually get the TUF validity period and validate against rekor entry. Let's create a tracking issue to do that both here and in Fulcio cert verification (leaf cert period verification and rekor entry timestamp)
/cc @haydentherapper
There was a problem hiding this comment.
Yep, for example it's done for Rekor like so - https://github.com/sigstore/sigstore-go/blob/main/pkg/tlog/entry.go#L274-L277
you should be able to check the attestation against the npm key validity period too - https://github.com/sigstore/root-signing/blob/main/repository/repository/targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json#L9-L11
There was a problem hiding this comment.
For now, I created the issue to track #757
|
@ramonpetgrave64 feel free to merge after addressing the few nits. Please create a tracking issue for the TUF verification discussed in #731 (comment). Thanks for the PR! |
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Addresses: #547
Uses the new sigstore-go@0.2.0
Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root.
This PR