sget-rs icon indicating copy to clipboard operation
sget-rs copied to clipboard

Published 20 hours ago verified publisher icon sigstore

git storage with signature mapping.

Open lukehinds opened this issue 3 years ago • 4 comments

We can use git / github API (and possibly gitlab, insert other cloud git provider) as a storage system for signature materials.

The following structure would be created during the signing operation:

$repo/.sigstore/{artifact-digest}/{signature} & {pub_key|or|fulcio_cert}

For client verification we can use the contents api and then perform a look up via the artifact-digest (and allowing us a map from digest to signature).

curl -s https://api.github.com/repos/sigstore/sget/contents/tests/test.sh |jq -r .content|base64 -d|sha256sum

We can then also retrieve from the download_url (and compute the digest locally)

curl -s https://api.github.com/repos/sigstore/sget/contents/tests/test.sh |jq -r .download_url

This gives us a form of attached signatures (or mapped signatures), but without the race gap that's present using an OCI registry.

I also like the aspect of git not being a single source, but a distributed source. This makes offline verification possible and we bolster security guarantees as git is a nice immutable (its history) store in itself.

Example:

image

lukehinds avatar Jan 05 '22 15:01 lukehinds

Nice!

The GitHub Contents API and GitLab's Repo Contents API both assume the default branch, and in both cases you can set it with ?ref=v1.2.3, ?ref=<commit>, etc.

What's the flow you're imagining for getting the signatures into .sigstore/ in the first place? It could be something in a pre-commit hook.

imjasonh avatar Jan 06 '22 14:01 imjasonh

Isn't there still the race here since you need to commit the signatures? Maybe that's what @imjasonh is saying.

dlorenc avatar Jan 06 '22 14:01 dlorenc

Yeah my question was (poorly-elaborated), how do we make sure the signature changes end up in the same commit as changes to the signed file(s).

Having them in separate commits (e.g., a GitHub Action that adds a commit afterward) introduces races, and lets you fetch ?ref=<commit-before-signature-change>.

Having it be a pre-commit hook, either to slip in the signature before committing, or at least to check "hey, you forgot to sign this", seems like a more reliable path.

imjasonh avatar Jan 06 '22 15:01 imjasonh

There are two methods, if the script has unstaged changes then they can commit the whole lot together;

https://github.com/lukehinds/acme/pull/8/files

If the file is not changed / staged, we can commit the signature and use the digest of the file as a map:

https://github.com/lukehinds/acme/tree/main/.sigstore/6a830ae2bd0a2a6e51a3885996db8092846a91ba7561c34e35aa81c570751e70

image

See any issues with that?

lukehinds avatar Jan 17 '22 12:01 lukehinds