Feature: Add support for custom attestation predicate types but this time while verifying attestation

[developer-guy]

Description

We added this support for uploading attestation to the registries in PR #504 but we haven't added this support for verifying attestations against claims yet, so we have to add this support for it too.

https://github.com/sigstore/cosign/blob/main/pkg/cosign/verifiers.go#L47

cc: @dlorenc @Dentrax

[developer-guy]

As I mentioned above, we have support for verifying attestation payload but we are using the Subject within the StatementHeader, so here is the idea, users can verify their attestation by predicate fields like verifying image by annotations. My suggestion is that we can get the type of the predicate from the user and the fields for that predicate in order to verify, so the final command would be like the following:

$ cosign verify-attestation -type <slsaprovenance|link|spdx> <IMAGE> -field <builder.id="xyz"|..> 

WDYT @Dentrax @dlorenc @hectorj2f?

[developer-guy]

maybe we can discuss a bit about the feature because I'm so excited to start working on this issue. @dlorenc 🤩

[dlorenc]

This plan sounds good to me!

It would be fun to try to integrate with cue as well for richer, custom validation of the predicate after the signature and subject have been matched.

[Dentrax]

We created a discussion on the cue repo: cue-lang/cue#1252

What we want to do is we need to convert given enforcement flags (as proposed here by @developer-guy) into an in_toto model, and then we easily generate an enforcement action. Implementation process will be quite easy after, I guess.

[developer-guy]

based on the discussion that is started by @Dentrax, we finally found a way to validate the JSON against policy files written by Cuelang. Here is the code sample we followed:

package main

import (
	"cuelang.org/go/cue"
	"cuelang.org/go/cue/cuecontext"
	cuejson "cuelang.org/go/encoding/json"
	"io/ioutil"
)

func main() {
        ctx := cuecontext.New()
	cueBs, _ := ioutil.ReadFile("policy.cue")
	v := ctx.CompileString(string(cueBs), []cue.BuildOption{}...)

	input := `{
              "foo": {
                      "bar": {
		           "baz": 10,
                            "taz":  "I'm not integer"
	              }
               }
         }`
	err := cuejson.Validate([]byte(input), v)
	if err != nil {
		panic(err)
	}
}

and the policy file policy.cue:

foo: bar: {
	baz: <11
	taz: int
}

if you run the code snippet above, you will get an error:

panic: foo.bar.taz: conflicting values int and "I'm not integer" (mismatched types int and string)

So, what we propose is that we will get these policy files behind the flag something like -policy policy.cue, then we will verify the predicate against these policy files, which means that users can define this flag more than once like -policy validate1.cue -policy validate2.cue.

Would you like to give us a hand @verdverm @shykes? 🙏 🤝

PTAL @erkanzileli @dlorenc @Dentrax

[verdverm]

@developer-guy I sure would

Are there other comm channels like chat or video that get used? I have some questions on the example and probably need to get up to speed on Sigstore / Cosign

[developer-guy]

please feel free to join us from Slack and let's have a chat 🙏 @verdverm

[shykes]

Copying @mpvl and @myitcv who might be interested in following this as well.