Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add features needed to sign SLSA Source Attestations #611

Open
TomHennen opened this issue Jan 3, 2025 · 1 comment
Open

Add features needed to sign SLSA Source Attestations #611

TomHennen opened this issue Jan 3, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@TomHennen
Copy link
Contributor

Description

The SLSA Source Track defines summary attestations as a way of attesting the high level properties of a source revision.

In addition it wants implementors to be able to create other more detailed provenance attestations.

gitsign seems like the perfect tool to be able to sign these attestations but I ran into a couple of problems when I tried signing a summary attestation.

  1. The spec wants the subject to specify the git commit using a digest type of gitCommit (a standard in-toto type. However gitsign currently stores the git commit in a sha256 digest type.
  2. The spec wants implementors to specify the branches as annotations on the subject. Currently gitsign doesn't offer any ability to specify annotations.
  3. The spec wants the subject.uri to be set. Currently gitsign doesn't offer any ability to set the subject.uri field.
  4. The spec wants the statement type to be set to "https://in-toto.io/Statement/v1" but currently gitsign uses "https://in-toto.io/Statement/v0.1"

It might be possible to resolve this by enable gitsign to take a 'raw' in-toto statement, but as @wlynch points out, that runs the risk of decoupling the commit referenced in the attestation from where gitsign is actually storing the data.

Instead, perhaps we can address this by updating gitsign to:

  1. Set gitCommit in addition to the existing sha256 type (or alternatively have some flag to set it to a more modern mode).
  2. Update the statement type to "https://in-toto.io/Statement/v1"
  3. Add a command line flag for setting the subject URI (e.g. --subject_uri https://github.com/sigstore/gitsign/commit/9fc97de55fc1926fa2a76f06b02c8531dcf6828d)
  4. Add a command line flag for adding subject annotations (e.g. --subject_annotation "source_branches=foo,bar")

In the end some might be able to sign a SLSA Source VSA with a command like:

gitsign attest -f vsa-predicate.json --type https://slsa.dev/verification_summary/v1 --subject_annotation "source_branches=foo,bar" --subject_uri https://github.com/sigstore/gitsign/commit/9fc97de55fc1926fa2a76f06b02c8531dcf6828d

Would something like this be reasonable?

Version
gitsign version v0.12.0
@TomHennen TomHennen added the bug Something isn't working label Jan 3, 2025
@wlynch
Copy link
Member

wlynch commented Jan 4, 2025
edited
Loading

Generally in favor of this! A few notes:

  1. The spec wants the subject to specify the git commit using a digest type of gitCommit (a standard in-toto type. However gitsign currently stores the git commit in a sha256 digest type.

Set gitCommit in addition to the existing sha256 type (or alternatively have some flag to set it to a more modern mode).

Fine with me! I'm okay with making this as a breaking change - as evident by the recent fix of gitsign attest, I don't think many people are using this actively at the moment. This was a side-effect of leaning on the cosign libraries, but we can just as easily generate the attestations here in gitsign as well.

  1. The spec wants implementors to specify the branches as annotations on the subject. Currently gitsign doesn't offer any ability to specify annotations.

Add a command line flag for adding subject annotations (e.g. --subject_annotation "source_branches=foo,bar")

LGTM!

  1. The spec wants the subject.uri to be set. Currently gitsign doesn't offer any ability to set the subject.uri field.

Add a command line flag for setting the subject URI (e.g. --subject_uri 9fc97de)

I think I'm okay with this, mostly because the VSA spec says SHOULD.

I have mixed feelings about tying subjects to entities outside of the repo - putting my git-idealist hat on, because repos are distributed it would be nice if predicates could be true regardless of the remote you're pulling from (e.g. https://go.googlesource.com/go and https://github.com/golang/go should be the same repo).
I get this can be useful to tie verification to a given instance, but it almost feels like remotes should be the signers of an attestation in many cases. How that would be done TBD - bootstrapping trusted identities for repo metadata was the primary motivation for gittuf though, so I would look there for inspiration - cc @adityasaky.

That said, given this is not required I'm okay with exposing a optional flag to enable this for people who want it.

  1. The spec wants the statement type to be set to "https://in-toto.io/Statement/v1" but currently gitsign uses "https://in-toto.io/Statement/v0.1"

Update the statement type to "https://in-toto.io/Statement/v1"

This should be easy to do, both here and in cosign (since they're using the same library), but we should coordinate with cosign folks to be safe. https://github.com/sigstore/cosign/blob/8040fc4b1dbf85cce1a40528a5be666388ad059c/pkg/cosign/attestation/attestation.go#L173

TomHennen added a commit to TomHennen/gitsign that referenced this issue Jan 19, 2025
@TomHennen
Modernize attest statements
6b08c95 
attest no longer uses the cosign library to generate the Statement
used in the attestation.

This lets us:

1. Use `gitCommit` as the digest type (which is what we were doing anyways)
2. Use the correct `_type` value for modern in-toto statements

In the future it will let us add annotations on the subject.

Note that this also changes the user behavior in that it:
1. Changes the things mentioned above.
2. Doesn't let users use the convenience attestation types from the command
   line.  They must instead specify the full predicate type.

refs sigstore#611

Signed-off-by: Tom Hennen <[email protected]>
TomHennen added a commit to TomHennen/gitsign that referenced this issue Jan 19, 2025
@TomHennen
Modernize attest statements
fad643d 
attest no longer uses the cosign library to generate the Statement
used in the attestation.

This lets us:

1. Use `gitCommit` as the digest type (which is what we were doing anyways)
2. Use the correct `_type` value for modern in-toto statements

In the future it will let us add annotations on the subject.

Note that this also changes the user behavior in that it:
1. Changes the things mentioned above.
2. Doesn't let users use the convenience attestation types from the command
   line.  They must instead specify the full predicate type.

refs sigstore#611

Signed-off-by: Tom Hennen <[email protected]>
@TomHennen TomHennen mentioned this issue Jan 19, 2025
Merged
TomHennen added a commit to TomHennen/gitsign that referenced this issue Jan 19, 2025
@TomHennen
Modernize attest statements
6510a84 
attest no longer uses the cosign library to generate the Statement
used in the attestation.

This lets us:

1. Use `gitCommit` as the digest type (which is what we were doing anyways)
2. Use the correct `_type` value for modern in-toto statements

In the future it will let us add annotations on the subject.

Note that this also changes the user behavior in that it:
1. Changes the things mentioned above.
2. Doesn't let users use the convenience attestation types from the command
   line.  They must instead specify the full predicate type.

refs sigstore#611

Signed-off-by: Tom Hennen <[email protected]>
@TomHennen TomHennen mentioned this issue Jan 21, 2025
Open
wlynch pushed a commit that referenced this issue Jan 22, 2025
@TomHennen
Modernize attest statements (#620)
6e07836 
* Modernize attest statements

attest no longer uses the cosign library to generate the Statement
used in the attestation.

This lets us:

1. Use `gitCommit` as the digest type (which is what we were doing anyways)
2. Use the correct `_type` value for modern in-toto statements

In the future it will let us add annotations on the subject.

Note that this also changes the user behavior in that it:
1. Changes the things mentioned above.
2. Doesn't let users use the convenience attestation types from the command
   line.  They must instead specify the full predicate type.

refs #611

Signed-off-by: Tom Hennen <[email protected]>

* gofmt

Signed-off-by: Tom Hennen <[email protected]>

* Restructure test to allow deep comparison of the JSON

The prior setup needed the contents to be exactly equal.
Unfortunately protojson explicitly doesn't maintain
byte-for-byte equality. To address that the test now
deeply examines the 'attestation' (.sig) file produced
parses the payload JSON into a struct and then compares
that.

This provides somewhat easier to understand error diffs
when things go wrong, but most importantly it appears
stable even if field order or spacing change.

Signed-off-by: Tom Hennen <[email protected]>

* remove byte conversion to make linter happy

Signed-off-by: Tom Hennen <[email protected]>

* use gitCommit/gitTree as appropriate

Signed-off-by: Tom Hennen <[email protected]>

* remove old provenance template

Signed-off-by: Tom Hennen <[email protected]>

---------

Signed-off-by: Tom Hennen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wlynch @TomHennen