Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for verifying dsse-intoto #855

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Nov 21, 2024

  • Verification should be able to correctly validate a bundle as cryptographically valid (VerificationOptions.empty())
  • Verifiers may also include signer identity during verification
  • Verifiers should extract the embedded attestation to do further analysis on the attestation. Sigstore-java does not process those in any way
  • There is no signing options for DSSE bundles

needs #873 #872

@loosebazooka loosebazooka force-pushed the dsse_support branch 5 times, most recently from 7a7e1b6 to 85dd2f1 Compare December 13, 2024 18:53
@loosebazooka
Copy link
Member Author

I'm gonna split this up, make it a little easier to review.

@loosebazooka loosebazooka marked this pull request as draft December 18, 2024 18:08
@loosebazooka loosebazooka force-pushed the dsse_support branch 3 times, most recently from 299a6b0 to d6b598c Compare December 18, 2024 20:30
- Verification should be able to correctly validate a bundle as
  cryptographically valid (VerificationOptions.empty())
- Verifiers may also include signer identity during verification
- Verifiers should extract the embedded attestation to do further
  analysis on the attestation. Sigstore-java does not process
  those in any way
- There is no signing options for DSSE bundles

Signed-off-by: Appu Goundan <[email protected]>
@loosebazooka loosebazooka marked this pull request as ready for review December 20, 2024 20:15
var digestBytes = Hex.decode(subject.getDigest().get("sha256"));
return Arrays.equals(artifactDigest, digestBytes);
} catch (DecoderException de) {
// ignore (assume false)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log.warn?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants