slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature] Reduce latency during inclusion proof validation

Open laurentsimon opened this issue 3 years ago • 1 comments
trafficstars

The log entry https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/rekor.go#L68 has the information for validating the inclusion proof, so we should be able to just do:

logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
...
err := cosign.VerifyTLogEntry(ctx, rekorClient, &logEntry)

Something @bobcallaway pointed out.

@asraa assigning to you.

laurentsimon avatar Aug 03 '22 14:08 laurentsimon

I believe this is because we wanted the entry UUID and the TLogUploadInTotoAttestation func does not provide that.

We can just calculate it from the entry body.

asraa avatar Aug 05 '22 14:08 asraa