Update vexctl attest #126
Merged
Update vexctl attest #126
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit modifies the product aprser in the attestation code to reuse the purl hash when ingesting OCI-typed purls. This saves a round trip to the registry if we already have the data. Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Since the OpenVEX product now has fields for hashes, reuse the product hashes in addition to derived hashes from purls when attesting them. Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
This commit adds a new --refs flag to the attest subcommand. This lets the user define an image reference to attach the attestation to. The help text is also improved. This commit also adds the --file reusable flag to allow attestations to be written to a file. Finally, this commit reshuffles the attest subcommand to use the pattern of reusable flags in use in other subcommmands. Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
cpanato
approved these changes
Oct 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a somewhat largeish update to the
vexctl attestsubcommand, mostly to update it to the latest versions of the OpenVEX specification. The changes in the PR are as follows:Support non OCI image products in attestations
vexctl now supports generating attestations for VEX products which are not OCI images. For example, if an openvex doc defines an apk as its product and the product has hashes defined, we can now convert it into an in-toto subject. This feature makes use of the new hashes field in OpenVEX v0.2.0
Reuse the image digest as the subject hash
When specifying an oci purl, we now reuse the hash in the package url version instead of looking it up in the registry, this results in faster attestations.
Update the normalization code to detect images and other products
The internal normalization function reads the products from an OpenVEX file and now returns three sets of references: images, other products, and any unattestable products. This 3-way split is introduced to support attesting products that define hashes, a new feature in the OpenVEX spec v0.2.0.
Update the
vexctl attestsubcommandThe attest subcommand now shares the same pattern and reusable options as the rest of the subcommands in vexctl. We Are also adding two new flags:
--refsspecifies image references to attach the OpenVEX attestation.--fileis the shared outfile flag that other vexctl subcommands use. It specifies a file which vexctl will write the attestation to./cc @cpanato @luhring
Signed-off-by: Adolfo Garcia Veytia (puerco) [email protected]