chains icon indicating copy to clipboard operation
chains copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

[bug] Currently `verifier.go` uses an empty config.Opts when calling `storage/*` `Retrieve*` method -> ShortKey is not defined -> no object found

Open aaron-prindle opened this issue 1 year ago • 0 comments

In looking through the verifer.go logic I see that RetrieveSignatures and RetrievePayloads is called with an empty config.StorageOpts:

https://github.com/tektoncd/chains/blob/main/pkg/chains/verifier.go#L76

signatures, err := b.RetrieveSignatures(ctx, trObj, config.StorageOpts{})

config.StorageOpts{} contains fields including ShortKey which is used in ~3 storage options retrieve calls:

aprindle@aprindle-ssd ~/chains/pkg/chains/storage  [fix-985]ack ShortKey
docdb/docdb.go
72:		Name:      opts.ShortKey,
122:	d := SignedDocument{Name: opts.ShortKey}

gcs/gcs.go
74:			key:    opts.ShortKey,
95:			key:    opts.ShortKey,
211:	return fmt.Sprintf(SignatureNameFormatTaskRun, tr.Namespace, tr.Name, opts.ShortKey)
216:	return fmt.Sprintf(PayloadNameFormatTaskRun, tr.Namespace, tr.Name, opts.ShortKey)
221:	return fmt.Sprintf(SignatureNameFormatPipelineRun, pr.Namespace, pr.Name, opts.ShortKey)
226:	return fmt.Sprintf(PayloadNameFormatPipelineRun, pr.Namespace, pr.Name, opts.ShortKey)

tekton/tekton.go
60:		key:    opts.ShortKey,
142:	return fmt.Sprintf(SignatureAnnotationFormat, opts.ShortKey)
146:	return fmt.Sprintf(PayloadAnnotationFormat, opts.ShortKey)

In contrast for example, in signing.go these values are set: https://github.com/tektoncd/chains/blob/main/pkg/chains/signing.go#L183

				b := o.Backends[backend]
				storageOpts := config.StorageOpts{
					ShortKey:      signableType.ShortKey(obj),
					FullKey:       signableType.FullKey(obj),
					Cert:          signer.Cert(),
					Chain:         signer.Chain(),
					PayloadFormat: payloadFormat,
				}
				if err := b.StorePayload(ctx, tektonObj, rawPayload, string(signature), storageOpts); err != nil {
					logger.Error(err)
					merr = multierror.Append(merr, err)
				}

IIUC, this means that retrieving objects from these storage types will not work as the keys to lookup will not be correct - ShortKey won't be set (will be "") which leads to the key used for lookup to be incorrect

aaron-prindle avatar Jan 10 '24 02:01 aaron-prindle