Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix semantic bugs in attestation verifification. #1249

Merged
merged 1 commit into from
Dec 24, 2021
Merged

Fix semantic bugs in attestation verifification. #1249

merged 1 commit into from
Dec 24, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Dec 24, 2021
edited
Loading

DSSE requires that the payload types match, but the Attestation
spec requires that the payload type be the specific in-toto one. We
don't actually do anything with the content here other than dump it
in plain text, but semantically we're calling these attestations in the
CLI so we should enforce that part of the specification as well.

Signed-off-by: Dan Lorenc lorenc.d@gmail.com

Summary

Ticket Link

Fixes

Release Note

BREAKING: In-Toto Attestations generated in older versions of cosign will not verify in newer versions.

@dlorenc
Copy link
Member Author

dlorenc commented Dec 24, 2021

Similar to #1248 but reverse.

@dlorenc
Fix semantic bugs in attestation verifification.
945036f 
DSSE requires that the payload types match, but the Attestation
spec requires that the payload type be the specific in-toto one. We
don't actually do anything with the content here other than dump it
in plain text, but semantically we're calling these attestations in the
CLI so we should enforce that part of the specification as well.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
loosebazooka
loosebazooka approved these changes Dec 24, 2021
View reviewed changes
pkg/cosign/verify.go
payload, err := att.Payload()
if err != nil {
return err
}

env := ssldsse.Envelope{}
if err := json.Unmarshal(payload, &env); err != nil {
return nil
return err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wild

@dlorenc dlorenc merged commit 1df7fe4 into sigstore:main Dec 24, 2021
@dlorenc dlorenc deleted the verify branch December 24, 2021 03:47
@github-actions github-actions bot added this to the v1.5.0 milestone Dec 24, 2021
@zregvart zregvart mentioned this pull request Mar 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@dlorenc @loosebazooka