connaisseur icon indicating copy to clipboard operation
connaisseur copied to clipboard

Published 20 hours ago verified publisher icon sse-secure-systems

Community Attestation Service integration

Open Razikus opened this issue 2 years ago • 4 comments

Community Attestation Service integration

Description

Adds possibility to run CAS as signing solution.

Currently works with images that have SHA256 digest

Checklist

  • [x] PR is rebased to/aimed at branch develop
  • [x] PR follows Contributing Guide
  • [ ] Added tests (if necessary)
  • [x] Extended README/Documentation (if necessary) - extended README with link to CAS
  • [ ] Adjusted versions of image and Helm chart in values.yaml and Chart.yaml (if necessary)

Please point me what should i change/extend in order to make this PR mergeable

Razikus avatar May 31 '22 10:05 Razikus

@Razikus awesome idea on first sight :rocket: should I support in further tests and points to add stuff or just point you in the right direction?

thanks for contributing :pray:

xopham avatar Jun 01 '22 07:06 xopham

Hello!

It depends on you :) I would really appreciate support, but you can also just point things that I should change/make and I can implement

One of the question that i have - could we extract digest from image that is not marked with digest? It would allow CAS to actually verify all images then

Razikus avatar Jun 01 '22 07:06 Razikus

@Razikus When I gave it a first brief test, I was not able to get it to run. Would you have a minimal documentation of how to run with CAS? this will be needed in any case to have a documentation page as for other validators: https://github.com/sse-secure-systems/connaisseur/tree/master/docs/validators . Feel free to add your own, based on the other examples.

I would take some time for testing and checking, specifically as it also introduces further dependencies and I'd like to understand a bit more about things :slightly_smiling_face:

xopham avatar Jun 17 '22 14:06 xopham

Sure no problem. I will add update docs in next week

Currently CAS integration works only with SHA256, so that's how you should pass image

  1. Grab your API key from https://cas.codenotary.com/
  2. Download binary from https://github.com/codenotary/cas/releases/tag/v1.0.2
  3. Notarize hash of image with
./cas-v1.0.2-linux-amd64-static  notarize --api-key YOURAPIKEY --hash HASH --name ANYASSETNAME
  1. Then you can deploy your Connaisseur with values below. Your email is actually your signer ID in CAS

  - name: default
    type: cas 
    signerId: youremail

Razikus avatar Jun 17 '22 14:06 Razikus