Modernize attest statements #620
Conversation
attest no longer uses the cosign library to generate the Statement used in the attestation. This lets us: 1. Use `gitCommit` as the digest type (which is what we were doing anyways) 2. Use the correct `_type` value for modern in-toto statements In the future it will let us add annotations on the subject. Note that this also changes the user behavior in that it: 1. Changes the things mentioned above. 2. Doesn't let users use the convenience attestation types from the command line. They must instead specify the full predicate type. refs sigstore#611 Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
|
Hmm, these tests worked yesterday, perhaps there's some non-determinism in how the statement gets marshaled. Let me check on that. |
The prior setup needed the contents to be exactly equal. Unfortunately protojson explicitly doesn't maintain byte-for-byte equality. To address that the test now deeply examines the 'attestation' (.sig) file produced parses the payload JSON into a struct and then compares that. This provides somewhat easier to understand error diffs when things go wrong, but most importantly it appears stable even if field order or spacing change. Signed-off-by: Tom Hennen <[email protected]>
|
Ok, I believe the tests have been fixed. I'm not sure if folks would prefer this had been handled some other way. Please let me know. |
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
| @@ -46,7 +46,7 @@ type options struct { | |||
| func (o *options) AddFlags(cmd *cobra.Command) { | |||
| cmd.Flags().StringVar(&o.FlagObjectType, "objtype", FlagObjectTypeCommit, "[commit | tree] - Git object type to attest") | |||
| cmd.Flags().StringVarP(&o.FlagPath, "filepath", "f", "", "attestation filepath") | |||
| cmd.Flags().StringVar(&o.FlagAttestationType, "type", "", `specify a predicate type (slsaprovenance|link|spdx|spdxjson|cyclonedx|vuln|custom) or an URI (default "custom")`) | |||
There was a problem hiding this comment.
(no action needed)
After responding to #623 (comment) this made me realize there was a good reason to have this, which was to support making it easy to add attestations for arbitrary files that don't fit neatly into an in-toto type, e.g. being able to do something like gitsign attest -f test-results.xml --type custom and have that work auto-magically.
That said, I think there's more benefits to getting this working with the new in-toto libraries at the moment so happy to proceed with this for now, but this will likely be something we'll look to add back in some form (either as this flag or another flag/command).
Summary
attestnow generates 'modern' in-toto attestations using the in-toto attestation go bindings and dropped usage of the cosign library for statement generation.This lets us:
gitCommitas the digest type (which is what we were doing anyways)_typevalue for modern in-toto statementsIn the future it will let us add annotations on the subject.
Note that this also changes the user behavior in that it:
refs #611
Release Note
attestproduces in-toto compliant statementsDocumentation
No documentation updates needed as the
attestcommand is not referenced in the current documentation. https://docs.sigstore.dev/cosign/signing/gitsign/