-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add examples for each of the cosign verification mechanisms #117
Labels
Comments
lkatalin
added
enhancement
New feature or request
good first issue
Good for newcomers
labels
Aug 31, 2022
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the existing Bundle struct to contain the rekor_bundle, in addition to a base64_signature, and cert field. The motivation for change comes from trying to implement an example that verifies a blob using a bundle. For example, first a blob is signed using the following command: cosign sign-blob --bundle=artifact.bundle artifact.txt The `artifact.bundle` file generated by the above command will look something like this (shortened to fit the commit message format): { "base64Signature": "...", "cert": "...", "rekorBundle": { "SignedEntryTimestamp": "...", "Payload": { "body": "...", "integratedTime": 1669361833, "logIndex": 7810348, "logID": "..." } } } Currently, to create Bundle (which is called RekorBundle in this commit) from this one would have to parse the string as json, and then access the `rekorBundle` element, and then serialize it so that it can be passed to `Bundle::new_verified` (again RekorBundle in this commit). With the changes in this commit it will be possible to call `Bundle::new_verified` and pass in the contents for the bundle file directly. Refs: sigstore#117 Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the existing Bundle struct to contain the rekor_bundle, in addition to a base64_signature, and cert field. The motivation for change comes from trying to implement an example that verifies a blob using a bundle. For example, first a blob is signed using the following command: cosign sign-blob --bundle=artifact.bundle artifact.txt The `artifact.bundle` file generated by the above command will look something like this (shortened to fit the commit message format): { "base64Signature": "...", "cert": "...", "rekorBundle": { "SignedEntryTimestamp": "...", "Payload": { "body": "...", "integratedTime": 1669361833, "logIndex": 7810348, "logID": "..." } } } Currently, to create Bundle (which is called RekorBundle in this commit) from this, one would have to parse the string as json, and then access the `rekorBundle` element, and then serialize it so that it can be passed to `Bundle::new_verified` (again RekorBundle in this commit). With the changes in this commit it will be possible to call `Bundle::new_verified` and pass in the contents for the bundle file directly. Refs: sigstore#117 Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the existing Bundle struct to contain the rekor_bundle, in addition to a base64_signature, and cert field. The motivation for change comes from trying to implement an example that verifies a blob using a bundle. For example, first a blob is signed using the following command: cosign sign-blob --bundle=artifact.bundle artifact.txt The `artifact.bundle` file generated by the above command will look something like this (shortened to fit the commit message format): { "base64Signature": "...", "cert": "...", "rekorBundle": { "SignedEntryTimestamp": "...", "Payload": { "body": "...", "integratedTime": 1669361833, "logIndex": 7810348, "logID": "..." } } } Currently, to create Bundle (which is called RekorBundle in this commit) from this, one would have to parse the string as json, and then access the `rekorBundle` element, and then serialize it so that it can be passed to `Bundle::new_verified` (again RekorBundle in this commit). With the changes in this commit it will be possible to call `Bundle::new_verified` and pass in the contents for the bundle file directly. Refs: sigstore#117 Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Dec 8, 2022
This commit adds a new struct named SignedArtifactBundle which represents a signed artifact bundle as produced when signing with cosign and specifying the --bundle option. The motivation for change comes from trying to implement an example that verifies a blob using a bundle. For example, first a blob is signed using the following command: cosign sign-blob --bundle=artifact.bundle artifact.txt The `artifact.bundle` file generated by the above command will look something like this (shortened to fit the commit message format): { "base64Signature": "...", "cert": "...", "rekorBundle": { "SignedEntryTimestamp": "...", "Payload": { "body": "...", "integratedTime": 1669361833, "logIndex": 7810348, "logID": "..." } } } Currently, to create Bundle from this, one would have to parse the string as json, and then access the `rekorBundle` element, and then serialize it so that it can be passed to `Bundle::new_verified`. With the changes in this commit it will be possible to call `SignedArtifactBundle::new_verified` and pass in the contents for the bundle file directly. Refs: sigstore#117 Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The README specifies that we can:
However, the current documented example is for verifying using a given key only. We should add two more examples.
The text was updated successfully, but these errors were encountered: