Ramon Petgrave
bf38fb0e9c
help docs
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:52:47 +00:00
Ramon Petgrave
23d8e33dfd
singular attestation path
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:46:28 +00:00
Ramon Petgrave
e0919a83e0
hash-algo description
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:41:08 +00:00
Ramon Petgrave
f3b63b7194
reword simple hash
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:39:13 +00:00
Ramon Petgrave
b9c6de5635
flag descriptions, optional --verified-levels
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:34:53 +00:00
Ramon Petgrave
519a928c72
clarify comments
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-22 00:19:46 +00:00
Ramon Petgrave
968a34d1dd
typo
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-21 15:32:11 +00:00
Ramon Petgrave
e27f99f15d
no need for sigstoreEnvelope
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 23:07:05 +00:00
Ramon Petgrave
0172a12823
lint
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 22:17:11 +00:00
Ramon Petgrave
73c9884da6
lint: no pointer for crypto.publickkey
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 22:10:46 +00:00
Ramon Petgrave
942d8bbe3d
remove accidental binary
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 20:50:28 +00:00
Ramon Petgrave
ff1cf43ce9
undo regression tag change
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 20:48:19 +00:00
Ramon Petgrave
cba639f855
specific errors and test cases
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 20:43:26 +00:00
Ramon Petgrave
e47312f593
literl hash algo
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 19:56:21 +00:00
Ramon Petgrave
00fed87dbc
typo
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 19:53:45 +00:00
Ramon Petgrave
fbe83fb372
change error type
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 19:50:18 +00:00
Ramon Petgrave
7fb5bf933c
switch wanted, got order
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 18:13:06 +00:00
Ramon Petgrave
8befbc6e94
use plain bool
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 18:12:51 +00:00
Ramon Petgrave
fec61b1f27
use pointers
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 18:03:48 +00:00
Ramon Petgrave
5636d0a832
rename to resource URI
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 16:58:13 +00:00
Ramon Petgrave
f5362e5a4a
rename to PublicKeyHashAlgo
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 16:49:43 +00:00
Ramon Petgrave
ad1b81dc5d
update README
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 16:33:38 +00:00
Ramon Petgrave
f0fedec1dd
verify vsa passed message
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 15:59:09 +00:00
Ramon Petgrave
2ef9a40437
minify test data
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-20 15:52:17 +00:00
Ramon Petgrave
944c9a6f4c
singular print-attestation
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-19 00:32:31 +00:00
Ramon Petgrave
610ef6f1af
verify reamining fields, print attestations
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-19 00:30:15 +00:00
Ramon Petgrave
13a74b5b4a
embed the google vsa key, match against all signatures, match the subject digests
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 22:18:25 +00:00
Ramon Petgrave
ead4e9bf4e
use utility to parse envelope, docs, use keyID
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 20:23:24 +00:00
Ramon Petgrave
edde0a8aca
cleanup, more skeleton
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 18:48:42 +00:00
Ramon Petgrave
1f123f3c1d
attempt to verify envelope
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 18:35:53 +00:00
Ramon Petgrave
2dc64f7bda
vsa parser
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 18:35:24 +00:00
Ramon Petgrave
2f76f12ff3
different test example
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 18:34:37 +00:00
Ramon Petgrave
9704c97a22
parse dsse envelope
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-17 16:07:41 +00:00
Ramon Petgrave
a3a573a800
cleanup
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-17 16:06:50 +00:00
Ramon Petgrave
b90ede0bde
rename to TrustedProducerID, allow muyltiple --subject-digest flags
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-14 18:15:25 +00:00
Ramon Petgrave
a25abe2323
testdata, sample invocation in README.md
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-13 22:28:58 +00:00
Ramon Petgrave
b5eb1473b8
skeletion verify-vsa command
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-13 22:28:08 +00:00
Ramon Petgrave
7980fdebf6
Changed success message to a more general "PASSED: SLSA verification passed"
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-13 22:22:56 +00:00
Ramon Petgrave
18c5f13b3e
fix: signoff commit ( #767 )
...
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760
Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit
# Testing
- [x] Invoked this PR's branch copy of the workflow against #717 , and it
did signoff the commit.
-
9670f76ab832398091+ramonpetgrave64@users.noreply.github.com >
2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4
fix: use pr_number as env variable ( #771 )
...
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks ).
Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.
Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699
## Testing
I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36
after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4
chore: Update Renovate config ( #769 )
...
# Summary
Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices )
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.
Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly )
preset.
Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/ )
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.
---------
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
Signed-off-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc
chore: fix pr-title-checker ( #770 )
...
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.
Signed-off-by: Ian Lewis <ianlewis@google.com >
2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c
fix(deps): update dependency @actions/core to v1.10.1 ( #717 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core )
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core ))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1 )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/toolkit (@​actions/core)</summary>
###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101 )
- Fix error message reference in oidc utils
[#​1511](https://togithub.com/actions/toolkit/pull/1511 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
---------
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Signed-off-by: github-actions <github-actions@github.com >
Co-authored-by: github-actions <github-actions@github.com >
2024-05-07 14:09:48 -04:00
Ramon Petgrave
23160d82c0
feat: workflow to update actions dist ( #760 )
...
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.
> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!
## Testing.
Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
- https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
- https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-06 17:56:35 -04:00
Mend Renovate
9c4e2196d8
chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 ( #763 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-06 16:01:16 +00:00
Mend Renovate
f787eeebf7
chore(deps): update golang:1.21 docker digest to d83472f ( #764 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-05-06 11:48:47 -04:00
Ramon Petgrave
637b07fdab
chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata ( #758 )
...
https://github.com/slsa-framework/slsa-github-generator/issues/3576
Next step in
https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier
Creating new test data for slsa-github-generator@v2.0.0
# Instructions:
## diff to download-artifacts.sh
```
diff --git a/download-artifacts.sh b/download-artifacts.sh
old mode 100644
new mode 100755
index e5e218e8..49257ea6
--- a/download-artifacts.sh
+++ b/download-artifacts.sh
@@ -88,6 +88,10 @@ unzip_files() {
rm -rf "${tmp_dir}"
;;
+ ./*.zip)
+ unzip -o "${zip_path}" -d "${output_path}"
+ ;;
+
*)
echo "unexpected file path: ${zip_path}"
exit 1
@@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven"
rename_java_files "workflow_dispatch-" "gradle"
# Files downloaded. Now copy them
-repo_path="../.."
+repo_path="/path/to/slsa-verifier"
# Go builder files.
copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}"
```
## download the artifacts
```
../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0
```
## docker github auth
```
gh auth login --scopes=read:packages
echo `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin
cosign save \
--dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \
ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d
```
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-04-23 12:26:13 -04:00
Mend Renovate
ee32cbff7e
chore(deps): update golang:1.21 docker digest to 81811f8 ( #693 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `ec457a2` -> `81811f8` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-04-18 16:46:15 +00:00
Mend Renovate
79d225bb44
fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] ( #723 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign )
| `v2.2.0` -> `v2.2.4` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9 )
### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.
The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.
The vulnerable loop in Cosign starts on line 154 below:
0044432284/pkg/cosign/fetch.go (L135-L196)https://theupdateframework.io/security/ ), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.
### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.
####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc )
### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.
### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.
The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:
9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)a0658aa1d0/internal/verify/verify.go (L82-L100)https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv )
Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.
As an example, these lines demonstrate the problem:
286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)14795db164/pkg/oci/remote/index_test.go (L31-L57)286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4 )
#### Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#​3661](https://togithub.com/sigstore/cosign/issues/3661 ))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#​3526](https://togithub.com/sigstore/cosign/issues/3526 ))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#​3541](https://togithub.com/sigstore/cosign/issues/3541 ))
- Honor creation timestamp for signatures again
([#​3549](https://togithub.com/sigstore/cosign/issues/3549 ))
#### Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#​3578](https://togithub.com/sigstore/cosign/issues/3578 ))
#### Documentation
- add oci bundle spec
([#​3622](https://togithub.com/sigstore/cosign/issues/3622 ))
- Correct help text of triangulate cmd
([#​3551](https://togithub.com/sigstore/cosign/issues/3551 ))
- Correct help text of verify-attestation policy argument
([#​3527](https://togithub.com/sigstore/cosign/issues/3527 ))
- feat: add OVHcloud MPR registry tested with cosign
([#​3639](https://togithub.com/sigstore/cosign/issues/3639 ))
#### Testing
- Refactor e2e-tests.yml workflow
([#​3627](https://togithub.com/sigstore/cosign/issues/3627 ))
- Clean up and clarify e2e scripts
([#​3628](https://togithub.com/sigstore/cosign/issues/3628 ))
- Don't ignore transparency log in tests if possible
([#​3528](https://togithub.com/sigstore/cosign/issues/3528 ))
- Make E2E tests hermetic
([#​3499](https://togithub.com/sigstore/cosign/issues/3499 ))
- add e2e test for pkcs11 token signing
([#​3495](https://togithub.com/sigstore/cosign/issues/3495 ))
###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3 )
#### Bug Fixes
- Fix race condition on verification with multiple signatures attached
to image
([#​3486](https://togithub.com/sigstore/cosign/issues/3486 ))
- fix(clean): Fix clean cmd for private registries
([#​3446](https://togithub.com/sigstore/cosign/issues/3446 ))
- Fixed BYO PKI verification
([#​3427](https://togithub.com/sigstore/cosign/issues/3427 ))
#### Features
- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#​3466](https://togithub.com/sigstore/cosign/issues/3466 ))
- Add support for OpenVEX predicate type
([#​3405](https://togithub.com/sigstore/cosign/issues/3405 ))
#### Documentation
- Resolves
[#​3088](https://togithub.com/sigstore/cosign/issues/3088 ):
`version` sub-command expected behaviour documentation and testing
([#​3447](https://togithub.com/sigstore/cosign/issues/3447 ))
- add examples for cosign attach signature cmd
([#​3468](https://togithub.com/sigstore/cosign/issues/3468 ))
#### Misc
- Remove CertSubject function
([#​3467](https://togithub.com/sigstore/cosign/issues/3467 ))
- Use local rekor and fulcio instances in e2e tests
([#​3478](https://togithub.com/sigstore/cosign/issues/3478 ))
#### Contributors
- aalsabag
- Bob Callaway
- Carlos Tadeu Panato Junior
- Colleen Murphy
- Hayden B
- Mukuls77
- Omri Bornstein
- Puerco
- vivek kumar sahu
###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2 )
v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.
For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.
#### Bug Fixes
- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#​3411](https://togithub.com/sigstore/cosign/issues/3411 )) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#​3415](https://togithub.com/sigstore/cosign/issues/3415 ))
- Fix copy without any flag set
([#​3409](https://togithub.com/sigstore/cosign/issues/3409 ))
- Update cosign generate cmd to not include newline
([#​3393](https://togithub.com/sigstore/cosign/issues/3393 ))
- Fix idempotency error with signing
([#​3371](https://togithub.com/sigstore/cosign/issues/3371 ))
#### Features
- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#​3383](https://togithub.com/sigstore/cosign/issues/3383 ))
- Use the timeout flag value in verify\* commands.
([#​3391](https://togithub.com/sigstore/cosign/issues/3391 ))
- add --private-infrastructure flag
([#​3369](https://togithub.com/sigstore/cosign/issues/3369 ))
#### Container Updates
- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#​3373](https://togithub.com/sigstore/cosign/issues/3373 ))
#### Documentation
- Update SBOM_SPEC.md
([#​3358](https://togithub.com/sigstore/cosign/issues/3358 ))
#### Contributors
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Hayden B
- Lily Sturmann
- Nikos Fotiou
- Yonghe Zhao
###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1 )
**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9 ).
Please upgrade to this release ASAP**
#### Enhancements
- feat: Support basic auth and bearer auth login to registry
([#​3310](https://togithub.com/sigstore/cosign/issues/3310 ))
- add support for ignoring certificates with pkcs11
([#​3334](https://togithub.com/sigstore/cosign/issues/3334 ))
- Support ReplaceOp in Signatures
([#​3315](https://togithub.com/sigstore/cosign/issues/3315 ))
- feat: added ability to get image digest back via triangulate
([#​3255](https://togithub.com/sigstore/cosign/issues/3255 ))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#​3247](https://togithub.com/sigstore/cosign/issues/3247 ))
- feat: add support attaching a Rekor bundle to a container
([#​3246](https://togithub.com/sigstore/cosign/issues/3246 ))
- feat: add support outputting rekor response on signing
([#​3248](https://togithub.com/sigstore/cosign/issues/3248 ))
- feat: improve dockerfile verify subcommand
([#​3264](https://togithub.com/sigstore/cosign/issues/3264 ))
- Add guard flag for experimental OCI 1.1 verify.
([#​3272](https://togithub.com/sigstore/cosign/issues/3272 ))
- Deprecate SBOM attachments
([#​3256](https://togithub.com/sigstore/cosign/issues/3256 ))
- feat: dedent line in cosign copy doc
([#​3244](https://togithub.com/sigstore/cosign/issues/3244 ))
- feat: add platform flag to cosign copy command
([#​3234](https://togithub.com/sigstore/cosign/issues/3234 ))
- Add SLSA 1.0 attestation support to cosign. Closes
[#​2860](https://togithub.com/sigstore/cosign/issues/2860 )
([#​3219](https://togithub.com/sigstore/cosign/issues/3219 ))
- attest: pass OCI remote opts to att resolver.
([#​3225](https://togithub.com/sigstore/cosign/issues/3225 ))
#### Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#​3245](https://togithub.com/sigstore/cosign/issues/3245 ))
- ci: add a OCI registry test for referrers support
([#​3253](https://togithub.com/sigstore/cosign/issues/3253 ))
- Fix ReplaceSignatures
([#​3292](https://togithub.com/sigstore/cosign/issues/3292 ))
- Stop using deprecated in_toto.ProvenanceStatement
([#​3243](https://togithub.com/sigstore/cosign/issues/3243 ))
- Fixes
[#​3236](https://togithub.com/sigstore/cosign/issues/3236 ),
disable SCT checking for a cosign verification when usin…
([#​3237](https://togithub.com/sigstore/cosign/issues/3237 ))
- fix: update error in `SignedEntity` to be more descriptive
([#​3233](https://togithub.com/sigstore/cosign/issues/3233 ))
- Fail timestamp verification if no root is provided
([#​3224](https://togithub.com/sigstore/cosign/issues/3224 ))
#### Documentation
- Add some docs about verifying in an air-gapped environment
([#​3321](https://togithub.com/sigstore/cosign/issues/3321 ))
- Update CONTRIBUTING.md
([#​3268](https://togithub.com/sigstore/cosign/issues/3268 ))
- docs: improves the Contribution guidelines
([#​3257](https://togithub.com/sigstore/cosign/issues/3257 ))
- Remove security policy
([#​3230](https://togithub.com/sigstore/cosign/issues/3230 ))
#### Others
- Set go to min 1.21 and update dependencies
([#​3327](https://togithub.com/sigstore/cosign/issues/3327 ))
- Update contact for code of conduct
([#​3266](https://togithub.com/sigstore/cosign/issues/3266 ))
- Update .ko.yaml
([#​3240](https://togithub.com/sigstore/cosign/issues/3240 ))
#### Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Gareth Healy
- Hayden B
- John Kjell
- Jon Johnson
- jonvnadelberg
- Luiz Carvalho
- Priya Wadhwa
- Ramkumar Chinchani
- Tosone
- Ville Aikas
- Vishal Choudhary
- ziel
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-04-18 12:33:11 -04:00
Ramon Petgrave
8c9ed07f8f
feat: fixes #547 : add npm sigstore-tuf suport ( #731 )
...
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
- [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0 )
Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.
This PR
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41 )) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-04-16 17:21:49 +00:00
