witness icon indicating copy to clipboard operation
witness copied to clipboard

Published 20 hours ago verified publisher icon in-toto

Fixing CA Path Flag to be used and adding policy timestamp server flag

Open ChaosInTheCRD opened this issue 1 year ago • 7 comments

This PR contains a fix for the noticed bug that was discovered in that vo.PolicyCAPaths was not used in the Verify function. Note that this change working correctly is dependent on changes to https://github.com/in-toto/go-witness.

The other half of this PR focuses on allowing users to sign their policy a timestamp authority, and if they have done so, allow them to supply the CA certificate of the timestamp authority server for use in the policy verification flow. Once again this change is dependent on changes to go-witness.

This PR depends on https://github.com/in-toto/go-witness/pull/124

ChaosInTheCRD avatar Jan 11 '24 12:01 ChaosInTheCRD

Can we add the same additional flags that Sigstore uses? https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect

[email protected] and --certificate-oidc-issuer=https://accounts.example.com

jkjell avatar Jan 11 '24 14:01 jkjell

This PR is dependent on https://github.com/in-toto/go-witness/pull/144

ChaosInTheCRD avatar Jan 29 '24 19:01 ChaosInTheCRD

#114's been merged, can we get this updated and ready for final review?

mikhailswift avatar Feb 12 '24 16:02 mikhailswift

@ChaosInTheCRD I've been thinking a bit about this and I think this might be a blocker for this PR. One of the critical things to verify on a Fulcio cert is the Issuer, which is an extension we don't support yet.

jkjell avatar Feb 20 '24 04:02 jkjell

@jkjell good that you noted these custom cert extensions and I certainly think we should follow up with work to support them. However, that work is relevant to https://github.com/in-toto/go-witness, and moreover this work specifically aims to bring policy signature verification logic up to scratch with what we are currently able to use to verify attestation signatures.

Provided you're happy, I suggest we merge this PR for now. We then follow up with subsequent PRs in https://github.com/in-toto/go-witness and then finally implement it here in https://github.com/in-toto/witness.

Note that (I probably sound like a broken record, but) we need to consider how these extra custom extensions might affect the total number of flags. I think as an MVP just adding them will be fine, but I think some consideration into how we could potentially consolidate them might be worthwhile.

ChaosInTheCRD avatar Feb 20 '24 10:02 ChaosInTheCRD

What I will say however, is if you think this is high priority enough, I can expedite this and we can try and bundle it into this PR.

ChaosInTheCRD avatar Feb 20 '24 10:02 ChaosInTheCRD

Deploy Preview for witness-project canceled.

Name Link
Latest commit 6e5265eecfe0d0612e93381ca90f328d249b9d51
Latest deploy log https://app.netlify.com/sites/witness-project/deploys/6645f4245214d00008542978

netlify[bot] avatar Feb 21 '24 10:02 netlify[bot]

Looks like we're missing a couple of test files: ./test/policy-signed.json and ./test/policy.json.

jkjell avatar May 02 '24 04:05 jkjell

I need to loop back over this so we can get it ready for merge. This includes factoring in https://github.com/in-toto/go-witness/pull/174

ChaosInTheCRD avatar May 03 '24 17:05 ChaosInTheCRD