Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add examples for each of the cosign verification mechanisms #117

Open
1 of 3 tasks
lkatalin opened this issue Aug 31, 2022 · 0 comments
Open
1 of 3 tasks

Add examples for each of the cosign verification mechanisms #117

lkatalin opened this issue Aug 31, 2022 · 0 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@lkatalin
Copy link
Contributor

The README specifies that we can:

  • Verify using a given key
  • Verify bundle produced by transparency log (Rekor)
  • Verify signature produced in keyless mode, using Fulcio Web-PKI

However, the current documented example is for verifying using a given key only. We should add two more examples.

@lkatalin lkatalin added enhancement New feature or request good first issue Good for newcomers labels Aug 31, 2022
danbev added a commit to danbev/sigstore-rs that referenced this issue Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.

The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:

cosign sign-blob --bundle=artifact.bundle artifact.txt

The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "...",
    "Payload": {
      "body": "...",
      "integratedTime": 1669361833,
      "logIndex": 7810348,
      "logID": "..."
    }
  }
}

Currently, to create Bundle (which is called RekorBundle in this commit)
from this one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).

With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.

Refs: sigstore#117

Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev added a commit to danbev/sigstore-rs that referenced this issue Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.

The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:

cosign sign-blob --bundle=artifact.bundle artifact.txt

The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "...",
    "Payload": {
      "body": "...",
      "integratedTime": 1669361833,
      "logIndex": 7810348,
      "logID": "..."
    }
  }
}

Currently, to create Bundle (which is called RekorBundle in this commit)
from this, one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).

With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.

Refs: sigstore#117

Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev added a commit to danbev/sigstore-rs that referenced this issue Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.

The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:

cosign sign-blob --bundle=artifact.bundle artifact.txt

The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "...",
    "Payload": {
      "body": "...",
      "integratedTime": 1669361833,
      "logIndex": 7810348,
      "logID": "..."
    }
  }
}

Currently, to create Bundle (which is called RekorBundle in this commit)
from this, one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).

With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.

Refs: sigstore#117

Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
danbev added a commit to danbev/sigstore-rs that referenced this issue Dec 8, 2022
This commit adds a new struct named SignedArtifactBundle which
represents a signed artifact bundle as produced when signing with cosign
and specifying the --bundle option.

The motivation for change comes from trying to implement an example
that verifies a blob using a bundle. For example, first a blob is
signed using the following command:

cosign sign-blob --bundle=artifact.bundle artifact.txt

The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": {
    "SignedEntryTimestamp": "...",
    "Payload": {
      "body": "...",
      "integratedTime": 1669361833,
      "logIndex": 7810348,
      "logID": "..."
    }
  }
}

Currently, to create Bundle from this, one would have to parse the
string as json, and then access the `rekorBundle` element, and then
serialize it so that it can be passed to `Bundle::new_verified`.

With the changes in this commit it will be possible to call
`SignedArtifactBundle::new_verified` and pass in the contents for the
bundle file directly.

Refs: sigstore#117

Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

1 participant