slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature] Support offline attestation verification: .sigstore file or persisted SET

Open asraa opened this issue 3 years ago • 1 comments
trafficstars

This is a tracking issue and discussion for whether we should move to support the proposed Sigstore's attestation blob format when it is implemented

See https://docs.google.com/document/d/1gucjOA_bGyRjK6TeaOI-X5GIUv8WsPzeMDMkq25Kv4Y/edit#heading=h.we5fqok7jai5 https://github.com/sigstore/cosign/issues/2131

Describe the solution you'd like This would require outputting .sigstore files instead of .intoto.jsonl attestation outputs for the blob builders and generators.

These .sigstore files would contain information like signing cert or pk and rekor SET for offline verification.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

asraa avatar Aug 15 '22 17:08 asraa

Some updates from the official sigstore bundle PR: the bundle would be a JSON that has the following format, with a sigstore bundle intoto type:

{
  "mediaType": "application/vnd.dev.sigstore.bundle.v1+json",
  "rekorEntry": {
    "logIndex": "123",
    "logId": "logid-123",
    "kind": "intoto",
    "version": "v0.0.1",
    "signedEntryTimestamp": "SET",
    "integratedTime": "1661340393"
  },
  "x509Cert": {
    "certificate": "PEM Encoded string",
    "chain": "PEM Encoded string"
  },
  "attestationDsse": {
    "payload": "eyJrZXkiOiJ2YWx1ZSJ9",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
      {
        "sig": "aGVq"
      }
    ]
  }
}

The attestationDSSE would contain the intoto JSON file. So it a wrapper around the DSSE envelope, with the predicate still held inside an intoto attestation.

For multiple attestations, this bundle file would be concatenated as JSON lines.

The current bundle format is much more simple, but is more prone to error:

{
  "base64Signature": "MEQCIFWOIfIg0KvKk0iA7OZWrpRdQ/bb4gfk9+K6ZGcscsqpAiBKL0Z/sahv3EEadTXTVo1i+1OVC0BvLwsB7TPNQ1z4Nw==",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "MEYCIQCkyFReBLGFzzXjETXqxR+aK2xQVhVLooaAcB/Htp7oQwIhAMkpneby0tUljOM+wcYMDrlDbzFUFZNWzX90XKyS9B9N",
    "Payload": {
      "body": "...",
      "integratedTime": 1662656020,
      "logIndex": 3433946,
      "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
    }
  }
}

where the body is actually the rekor representation, so not the actual DSSE payload. So this format would require distributing both the .intoto.jsonl and this.

asraa avatar Sep 16 '22 16:09 asraa