rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Failure to upload in-toto link metadata to Rekor

Open znewman01 opened this issue 2 years ago • 6 comments

@jspeed-meyers @SantiagoTorres thank you guys so much for you swift response. Let me summarise the issue i have faced.

I am currently exploring in-toto + Rekor stack. Basically i am trying to generate signed metadata for each supply chain step ( e.g. git checkout code, run unit test) using in-toto cli (https://in-toto.readthedocs.io/en/latest/command-line-tools/in-toto-run.html)

in-toto-run <named arguments> [optional arguments] \
	 -- <command> [args]

The output of previous step is link file, you can find the specs here https://github.com/in-toto/docs/blob/master/in-toto-spec.md#44-file-formats-namekeyid-prefixlink

After generating .link file, I want to leverage on Rekor transparency log to store this signed metadata. i saw In-Toto Attestations is listed as supported types here , so i i tried with the command

 rekor-cli upload --rekor_server https://rekor.sigstore.dev --artifact git-metadata.a0a78898.link  --type intoto -public-key mykey.pub

but it gave this error

[POST /api/v1/log/entries][400] createLogEntryBadRequest  &{Code:400 Message:Error processing entry: Accepted signatures do not match threshold, Found: 0, Expected 1}

I am very new to Rekor and in-toto, want to ask two questions:

  1. Does link file generated by in-toto cli follow in-toto attestation schema which is supported by Rekor?
  2. If not, how should i convert the link meta to schema that can be consumed by Rekor? or do i need to add a new type by myself following the steps on https://docs.sigstore.dev/rekor/pluggable-types ?

Hope i have made problem clear. Let me know if you need any more clarifications! Thank you :)

Originally posted by @hanyuwang1993 in https://github.com/sigstore/rekor/issues/665#issuecomment-1058714515

znewman01 avatar Mar 04 '22 14:03 znewman01

Rekor does support in-toto but either:

  1. It's looking for something other than the link metadata format, or
  2. The link metadata you're generating is not correctly signed (e.g., mismatched keys)

Can you successfully in-toto-verify the resulting file? If not, that points to (2).

Regarding (1), it looks like there could be a version mismatch: the Rekor tree for in-toto has a schema for "v0.0.1"; the in-toto website links to "v0.9". CC @adityasaky

znewman01 avatar Mar 04 '22 14:03 znewman01

Does rekor support link metadata, or just ITE-6 attestations? I'm personally unaware...

As for the version mismatch, the in-toto website still points to the specification which is still v0.9. I'm guessing the v0.0.1 is an initial pass at an ITE-6 attestation. Probably needs to be bumped though? The versions do need to be synced in a sane manner to avoid confusion.

adityasaky avatar Mar 04 '22 15:03 adityasaky

It used at least haha. The early rekor impl was exclusively in-toto stuff

SantiagoTorres avatar Mar 04 '22 18:03 SantiagoTorres

Actually, it is more likely it's a DSSE problem. Aditya we don't have DSSE support for in-toto python right?

SantiagoTorres avatar Mar 04 '22 18:03 SantiagoTorres

No, we don't. Did rekor update to only supporting DSSE?

adityasaky avatar Mar 04 '22 20:03 adityasaky

That is my understanding. Recently there was a change to better support chains

SantiagoTorres avatar Mar 04 '22 21:03 SantiagoTorres