-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change bundle verification test to not depend on signing #82
Change bundle verification test to not depend on signing #82
Conversation
b420ab8
to
5a67da9
Compare
Sorry for the delay here! My plan is to merge #85, then this 🙂 |
@woodruffw bump on this now that #85 has been merged! |
Selftest is failing here, possibly because this needs a rebase. @steiza mind merging/rebasing here? 🙂 |
Hmm, not sure why these are still failing. I'll be able to take a look later, but also CCing @tetsuo-cpp for opinions. |
That's odd! I just re-ran CI against |
I think I've identified what's going on, although I'm not sure what the right next step is to correct it. I'm using the 2.0.0rc1 of sigstore-python:
I ran just the bundle verification (with signing skipped - so we don't need a valid
I ran just that command locally:
It looks like that functionality landed in https://github.com/sigstore/sigstore-python/pull/634/files, which was between the sigstore-python 1.1.2 and 2.0.0rc1 releases. ... but again, I'm not sure what the right next step is. Where should the checkpoint information be coming from? Or maybe sigstore-python expecting something that really should be optional? |
Moved this to #88 since it's unrelated to this PR. |
There's quite a bit going on here, but I think I understand one of the failing bundle tests:
This might have started passing the test (by failing verification) because of the lack of inclusion proof checkpoint. It seems to be a re-manifestation of #84 (comment):
|
For sigstore#81 Signed-off-by: Zach Steindler <[email protected]>
Also plumb skipping signing through the action and test driver. Signed-off-by: Zach Steindler <[email protected]>
Signed-off-by: Zach Steindler <[email protected]>
Signed-off-by: Zach Steindler <[email protected]>
To include inclusion proof checkpoint Signed-off-by: Zach Steindler <[email protected]>
Signed-off-by: Zach Steindler <[email protected]>
af26c78
to
0a456a3
Compare
I rebased to bring in changes from #89, but it looks like I have some more debugging to do. |
Looks like it might be an isolation problem:
|
Also use `ClientFail` exception instead of `CalledProcessError`. Signed-off-by: Zach Steindler <[email protected]>
This one is interesting:
I need to check now, but I'm pretty sure |
Hmm, the client spec itself doesn't mention the bundle's contained digest at all (more generally, it's pretty sparse on the bundle as an input format, although I believe that's going to change with sigstore/sig-clients#8). On the protobuf-specs side, this is what we have: // MessageSignature stores the computed signature over a message.
message MessageSignature {
// Message digest can be used to identify the artifact.
HashOutput message_digest = 1 [(google.api.field_behavior) = REQUIRED];
// The raw bytes as returned from the signature algorithm.
// The signature algorithm (and so the format of the signature bytes)
// are determined by the contents of the 'verification_material',
// either a key-pair or a certificate. If using a certificate, the
// certificate contains the required information on the signature
// algorithm.
// When using a key pair, the algorithm MUST be part of the public
// key, which MUST be communicated out-of-band.
bytes signature = 2 [(google.api.field_behavior) = REQUIRED];
} So the |
|
Nope, no recollection. I recall arguing against including the digest at all originally, since (IMO) it's a probable source of implementation errors (since it's a piece of dual state that always needs to be checked against the actual input that the user if verifying). IIRC the justification for including it was that some users may wish to "verify" bundles with just their intrinsic digest, although I'm still a little blurry on what doing so would accomplish (since it's effectively verifying a signature over anything, not a particular expected input.) |
As a result, we're in a bit of a funny state here: arguably users shouldn't ever need to check |
I'd be fine with either dropping the message or changing to optional. |
Yeah, I think changing it to optional makes sense for now. IMO it really shouldn't be in the bundle at all (especially since we don't have a concrete use case for it, per sigstore/protobuf-specs#30 (comment)), but removing it would be a relatively disruptive protobuf change unlike our other (compatible) changes made between 0.1 and 0.2. I'll make a PR for that in a second. |
Opened sigstore/protobuf-specs#114 for that tweak. |
Signed-off-by: Zach Steindler <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @steiza! Especially for bearing with the test pain here 🙂
For #81
Summary
Today, https://github.com/sigstore/sigstore-conformance/blob/main/test/test_bundle.py requires a client to implement signing in order to test bundle verification. It would be nice to be able to test verification without requiring the client to implement signing.
Release Note
NONE
Documentation
N/A