Print in-toto statement when verifying DSSE #1116
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
woodruffw
reviewed
Sep 10, 2024
sigstore/_cli.py
Outdated
| @@ -811,8 +811,10 @@ def _verify_identity(args: argparse.Namespace) -> None: | |||
| ) | |||
|
|
|||
| try: | |||
| _verify_common(verifier, hashed, bundle, policy_) | |||
| statement = _verify_common(verifier, hashed, bundle, policy_) | |||
| print(f"OK: {file}") | |||
There was a problem hiding this comment.
Let's move this to stderr:
Suggested change
| print(f"OK: {file}") | |
| print(f"OK: {file}", file=sys.stderr) |
woodruffw
reviewed
Sep 10, 2024
woodruffw
reviewed
Sep 10, 2024
CHANGELOG.md
Outdated
|
|
||
| * CLI: The `sigstore verify` command now outputs the inner in-toto statement | ||
| when verifying DSSE envelopes. If verification is successful, the output | ||
| will be "OK: $FILENAME" followed by the inner in-toto statement. This allows |
There was a problem hiding this comment.
Nit: I think we can remove this part, since OK: will be on stderr now.
|
Thanks @facutuesca, looks good! Just a few small comments. |
woodruffw
added
component:cli
Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Facundo Tuesca <facu@tuesca.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
|
/gcbrun |
woodruffw
approved these changes
Sep 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Part of #1111. This changes the
sigstore verifyCLI command so that when verifying a bundle containing a DSSE envelope, if verification succeeds the inner in-toto statement is printed to the user.$ sigstore verify identity README.md --cert-identity me@example.com --cert-oidc-issuer https://issuer.example.com OK: README.md {"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"README.md","digest":{"sha256":"033be49064ed2a5f50bf81950f38741a8c550bc8076447452152c7b9d28728bc"}}],"predicateType":"slsaprovenance0_2","predicate":{"builder":{"id":"https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0"},"build_type":"https://github.com/slsa-framework/slsa-github-generator/generic@v1","invocation":{"config_source":{"uri":"git+https://gi..... ....This is done because
sigstore-pythononly verifies the subjects of the DSSE envelope match the artifacts being verified, it does not do any verification on the predicate of the statement. This should be done by the user, which is why we print the statement after verification succeeds, so that the user has easy access to it.Release Note
sigstore verifycommand now outputs the inner in-toto statementwhen verifying DSSE envelopes. If verification is successful, the output
will be "OK: $FILENAME" followed by the inner in-toto statement. This allows
the user to see the statement's predicate, which
sigstore-pythondoes notverify and should be verified by the user.
cc @woodruffw