Ramon Petgrave
ead4e9bf4e
use utility to parse envelope, docs, use keyID
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 20:23:24 +00:00
Ramon Petgrave
1f123f3c1d
attempt to verify envelope
...
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-06-18 18:35:53 +00:00
Mend Renovate
79d225bb44
fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] ( #723 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign )
| `v2.2.0` -> `v2.2.4` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9 )
### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.
The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.
The vulnerable loop in Cosign starts on line 154 below:
0044432284/pkg/cosign/fetch.go (L135-L196)https://theupdateframework.io/security/ ), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.
### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.
####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc )
### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.
### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.
The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:
9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)a0658aa1d0/internal/verify/verify.go (L82-L100)https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv )
Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.
As an example, these lines demonstrate the problem:
286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)14795db164/pkg/oci/remote/index_test.go (L31-L57)286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4 )
#### Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#​3661](https://togithub.com/sigstore/cosign/issues/3661 ))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#​3526](https://togithub.com/sigstore/cosign/issues/3526 ))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#​3541](https://togithub.com/sigstore/cosign/issues/3541 ))
- Honor creation timestamp for signatures again
([#​3549](https://togithub.com/sigstore/cosign/issues/3549 ))
#### Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#​3578](https://togithub.com/sigstore/cosign/issues/3578 ))
#### Documentation
- add oci bundle spec
([#​3622](https://togithub.com/sigstore/cosign/issues/3622 ))
- Correct help text of triangulate cmd
([#​3551](https://togithub.com/sigstore/cosign/issues/3551 ))
- Correct help text of verify-attestation policy argument
([#​3527](https://togithub.com/sigstore/cosign/issues/3527 ))
- feat: add OVHcloud MPR registry tested with cosign
([#​3639](https://togithub.com/sigstore/cosign/issues/3639 ))
#### Testing
- Refactor e2e-tests.yml workflow
([#​3627](https://togithub.com/sigstore/cosign/issues/3627 ))
- Clean up and clarify e2e scripts
([#​3628](https://togithub.com/sigstore/cosign/issues/3628 ))
- Don't ignore transparency log in tests if possible
([#​3528](https://togithub.com/sigstore/cosign/issues/3528 ))
- Make E2E tests hermetic
([#​3499](https://togithub.com/sigstore/cosign/issues/3499 ))
- add e2e test for pkcs11 token signing
([#​3495](https://togithub.com/sigstore/cosign/issues/3495 ))
###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3 )
#### Bug Fixes
- Fix race condition on verification with multiple signatures attached
to image
([#​3486](https://togithub.com/sigstore/cosign/issues/3486 ))
- fix(clean): Fix clean cmd for private registries
([#​3446](https://togithub.com/sigstore/cosign/issues/3446 ))
- Fixed BYO PKI verification
([#​3427](https://togithub.com/sigstore/cosign/issues/3427 ))
#### Features
- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#​3466](https://togithub.com/sigstore/cosign/issues/3466 ))
- Add support for OpenVEX predicate type
([#​3405](https://togithub.com/sigstore/cosign/issues/3405 ))
#### Documentation
- Resolves
[#​3088](https://togithub.com/sigstore/cosign/issues/3088 ):
`version` sub-command expected behaviour documentation and testing
([#​3447](https://togithub.com/sigstore/cosign/issues/3447 ))
- add examples for cosign attach signature cmd
([#​3468](https://togithub.com/sigstore/cosign/issues/3468 ))
#### Misc
- Remove CertSubject function
([#​3467](https://togithub.com/sigstore/cosign/issues/3467 ))
- Use local rekor and fulcio instances in e2e tests
([#​3478](https://togithub.com/sigstore/cosign/issues/3478 ))
#### Contributors
- aalsabag
- Bob Callaway
- Carlos Tadeu Panato Junior
- Colleen Murphy
- Hayden B
- Mukuls77
- Omri Bornstein
- Puerco
- vivek kumar sahu
###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2 )
v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.
For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.
#### Bug Fixes
- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#​3411](https://togithub.com/sigstore/cosign/issues/3411 )) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#​3415](https://togithub.com/sigstore/cosign/issues/3415 ))
- Fix copy without any flag set
([#​3409](https://togithub.com/sigstore/cosign/issues/3409 ))
- Update cosign generate cmd to not include newline
([#​3393](https://togithub.com/sigstore/cosign/issues/3393 ))
- Fix idempotency error with signing
([#​3371](https://togithub.com/sigstore/cosign/issues/3371 ))
#### Features
- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#​3383](https://togithub.com/sigstore/cosign/issues/3383 ))
- Use the timeout flag value in verify\* commands.
([#​3391](https://togithub.com/sigstore/cosign/issues/3391 ))
- add --private-infrastructure flag
([#​3369](https://togithub.com/sigstore/cosign/issues/3369 ))
#### Container Updates
- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#​3373](https://togithub.com/sigstore/cosign/issues/3373 ))
#### Documentation
- Update SBOM_SPEC.md
([#​3358](https://togithub.com/sigstore/cosign/issues/3358 ))
#### Contributors
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Hayden B
- Lily Sturmann
- Nikos Fotiou
- Yonghe Zhao
###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221 )
[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1 )
**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9 ).
Please upgrade to this release ASAP**
#### Enhancements
- feat: Support basic auth and bearer auth login to registry
([#​3310](https://togithub.com/sigstore/cosign/issues/3310 ))
- add support for ignoring certificates with pkcs11
([#​3334](https://togithub.com/sigstore/cosign/issues/3334 ))
- Support ReplaceOp in Signatures
([#​3315](https://togithub.com/sigstore/cosign/issues/3315 ))
- feat: added ability to get image digest back via triangulate
([#​3255](https://togithub.com/sigstore/cosign/issues/3255 ))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#​3247](https://togithub.com/sigstore/cosign/issues/3247 ))
- feat: add support attaching a Rekor bundle to a container
([#​3246](https://togithub.com/sigstore/cosign/issues/3246 ))
- feat: add support outputting rekor response on signing
([#​3248](https://togithub.com/sigstore/cosign/issues/3248 ))
- feat: improve dockerfile verify subcommand
([#​3264](https://togithub.com/sigstore/cosign/issues/3264 ))
- Add guard flag for experimental OCI 1.1 verify.
([#​3272](https://togithub.com/sigstore/cosign/issues/3272 ))
- Deprecate SBOM attachments
([#​3256](https://togithub.com/sigstore/cosign/issues/3256 ))
- feat: dedent line in cosign copy doc
([#​3244](https://togithub.com/sigstore/cosign/issues/3244 ))
- feat: add platform flag to cosign copy command
([#​3234](https://togithub.com/sigstore/cosign/issues/3234 ))
- Add SLSA 1.0 attestation support to cosign. Closes
[#​2860](https://togithub.com/sigstore/cosign/issues/2860 )
([#​3219](https://togithub.com/sigstore/cosign/issues/3219 ))
- attest: pass OCI remote opts to att resolver.
([#​3225](https://togithub.com/sigstore/cosign/issues/3225 ))
#### Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#​3245](https://togithub.com/sigstore/cosign/issues/3245 ))
- ci: add a OCI registry test for referrers support
([#​3253](https://togithub.com/sigstore/cosign/issues/3253 ))
- Fix ReplaceSignatures
([#​3292](https://togithub.com/sigstore/cosign/issues/3292 ))
- Stop using deprecated in_toto.ProvenanceStatement
([#​3243](https://togithub.com/sigstore/cosign/issues/3243 ))
- Fixes
[#​3236](https://togithub.com/sigstore/cosign/issues/3236 ),
disable SCT checking for a cosign verification when usin…
([#​3237](https://togithub.com/sigstore/cosign/issues/3237 ))
- fix: update error in `SignedEntity` to be more descriptive
([#​3233](https://togithub.com/sigstore/cosign/issues/3233 ))
- Fail timestamp verification if no root is provided
([#​3224](https://togithub.com/sigstore/cosign/issues/3224 ))
#### Documentation
- Add some docs about verifying in an air-gapped environment
([#​3321](https://togithub.com/sigstore/cosign/issues/3321 ))
- Update CONTRIBUTING.md
([#​3268](https://togithub.com/sigstore/cosign/issues/3268 ))
- docs: improves the Contribution guidelines
([#​3257](https://togithub.com/sigstore/cosign/issues/3257 ))
- Remove security policy
([#​3230](https://togithub.com/sigstore/cosign/issues/3230 ))
#### Others
- Set go to min 1.21 and update dependencies
([#​3327](https://togithub.com/sigstore/cosign/issues/3327 ))
- Update contact for code of conduct
([#​3266](https://togithub.com/sigstore/cosign/issues/3266 ))
- Update .ko.yaml
([#​3240](https://togithub.com/sigstore/cosign/issues/3240 ))
#### Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Gareth Healy
- Hayden B
- John Kjell
- Jon Johnson
- jonvnadelberg
- Luiz Carvalho
- Priya Wadhwa
- Ramkumar Chinchani
- Tosone
- Ville Aikas
- Vishal Choudhary
- ziel
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-04-18 12:33:11 -04:00
Ramon Petgrave
8c9ed07f8f
feat: fixes #547 : add npm sigstore-tuf suport ( #731 )
...
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
- [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0 )
Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.
This PR
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41 )) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-04-16 17:21:49 +00:00
Ramon Petgrave
fe539a2bde
fix: use sigstore/pkg/fulcioroots to lessen deps ( #746 )
...
We've long had the problem that slsa-verifier has too many dependencies.
This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.
## Investigation
At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws ),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.
<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c ">
That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.
Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.
```
➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```
Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.
-
546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder )
## Future Work
The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-03-27 14:27:09 +00:00
Mend Renovate
449e404e2a
fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] ( #743 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go )
| `v1.32.0` -> `v1.33.0` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786 )
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.
---
### Release Notes
<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>
###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0 )
[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2024-03-26 15:33:59 +00:00
Mend Renovate
bb41cb6ab2
fix(deps): update go ( #498 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/go-openapi/runtime](https://togithub.com/go-openapi/runtime )
| `v0.26.2` -> `v0.27.0` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
| [github.com/go-openapi/swag](https://togithub.com/go-openapi/swag ) |
`v0.22.7` -> `v0.22.8` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>go-openapi/runtime (github.com/go-openapi/runtime)</summary>
###
[`v0.27.0`](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0 )
[Compare
Source](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0 )
</details>
<details>
<summary>go-openapi/swag (github.com/go-openapi/swag)</summary>
###
[`v0.22.8`](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8 )
[Compare
Source](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMjUuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-01-24 14:31:57 -08:00
Ramon Petgrave
74119b2a7f
fix(deps): update go to 1.21 ( #738 )
...
Fixing the existing PR
https://github.com/slsa-framework/slsa-verifier/pull/498 to also change
the github actions to use the go 1.21 sourced directly from `go.mod`.
-
07e64b653f/.github/workflows/builder_go_slsa3.yml (L56)https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498
> ...
Error: We were unable to automatically build your code. Please replace
the call to the autobuild action with your custom build steps.
Encountered a fatal error while running
"/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh".
Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built
with go1.21.5, environment has go1.20.12
...
Also fixing some more lint checks about repeated strings
---------
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
Co-authored-by: Mend Renovate <bot@renovateapp.com >
2024-01-24 09:29:20 -08:00
laurentsimon
e986dfc0ff
feat: Digest for new release ( #722 )
...
#label:release v2.4.1
How to LGTM this PR:
Ensure you have installed the GitHub client from https://cli.github.com .
If it is not installed in your `PATH`, set `export GH=/path/to/your/gh`
Set your `export GH_TOKEN=...`
Use [verify-release.sh](./verify-release.sh) script in this repository:
```
bash verify-release v2.4.1
```
Once it completes, you will see the last line `Verifying artifact
/tmp/tmp.SomeRanDOm/` and do:
```bash
sha256sum /tmp/tmp.SomeRanDOm/* | grep -v intoto
```
This will print out the hashes. Compare them to the changes in this PR
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-11-07 17:23:25 -08:00
laurentsimon
2184d9d604
chore: bump versions ( #715 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-10 00:27:33 +00:00
Mend Renovate
0e5b3a3d11
fix(deps): update golang.org/x/exp digest to 7918f67 ( #694 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `10a5072` -> `7918f67` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-10-09 09:59:53 -07:00
laurentsimon
58eede7e66
feat: gcb v1.0 support ( #691 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/683
This is a large PR, but there is not much new code.
The code adding support for v1.0 is under:
- verifiers/internal/gcb/slsaprovenance/v1.0/*
- verifiers/internal/gcb/slsaprovenance/provenance.go
The rest is mostly some re-factoring needed
Remaining is regression tests, tracked in
https://github.com/slsa-framework/slsa-verifier/issues/690
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-08-18 17:32:58 +00:00
Ian Lewis
f025c630ac
refactor: Use Go 1.20 ( #643 )
...
Fixes #589
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 10:49:52 +09:00
Mend Renovate
dab7d387fa
fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 ( #606 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 01:33:18 +00:00
Mend Renovate
5ca5eb0120
fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] ( #622 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-02 09:10:53 -05:00
laurentsimon
3a4e992444
feat: verify claims in provenance match the certificate ( #572 )
...
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-05-09 23:52:36 +00:00
Mend Renovate
9b6ec903b9
fix(deps): update github.com/sigstore/protobuf-specs digest to 91485b4 ( #584 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-05-09 00:32:22 +09:00
asraa
467e0820b6
chore: update slsa provenance to v1 ( #579 )
...
* chore: update slsa provenance to v1
Signed-off-by: Asra Ali <asraa@google.com >
* fix import path
Signed-off-by: Asra Ali <asraa@google.com >
* update dsse testcases
Signed-off-by: Asra Ali <asraa@google.com >
* fix cosign image verification in update
Signed-off-by: Asra Ali <asraa@google.com >
---------
Signed-off-by: Asra Ali <asraa@google.com >
2023-05-08 15:18:16 +00:00
Mend Renovate
954a421526
fix(deps): update github.com/sigstore/protobuf-specs digest to 13e09aa ( #578 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-05-01 01:35:03 +00:00
Mend Renovate
0a7e71cb09
fix(deps): update github.com/sigstore/protobuf-specs digest to b6d2576 ( #559 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-04-19 13:34:26 +09:00
Mend Renovate
6137b13c0e
fix(deps): update github.com/sigstore/protobuf-specs digest to 4dbf10b ( #553 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-04-11 00:20:40 +00:00
Mend Renovate
a09c6aa06a
fix(deps): update github.com/sigstore/protobuf-specs digest to c8a23a4 ( #528 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: asraa <asraa@google.com >
2023-03-24 13:45:48 +00:00
Mend Renovate
5fc3389c24
fix(deps): update github.com/sigstore/protobuf-specs digest to 44103a5 ( #499 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-02-22 12:21:03 +09:00
Mend Renovate
64d1a7f5e9
fix(deps): update module github.com/sigstore/cosign/v2 to v2.0.0-rc.2 ( #481 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-02-14 07:12:13 +09:00
asraa
5d6c770d43
feat: support branch and tag from slsa v1 provenance ( #476 )
...
* feat: support branch and tag from slsa v1 provenance
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
2023-02-10 21:33:16 +00:00
asraa
239c4489ce
feat: add slsa v1?draft provenance experimental support ( #470 )
...
* feat: add slsa v1?draft provenance support
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
2023-02-09 17:21:15 +00:00
Mend Renovate
69da812e1c
fix(deps): update github.com/sigstore/protobuf-specs digest to 9b722b6 ( #465 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-02-07 20:15:42 +00:00
Mend Renovate
be04b2a04c
fix(deps): update module github.com/in-toto/in-toto-golang to v0.6.0 ( #468 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-02-06 08:52:55 -06:00
asraa
362bd1a331
feat: add offline bundle signature verification ( #457 )
...
* feat: add bundle signature verification
Signed-off-by: Asra Ali <asraa@google.com >
2023-02-03 09:31:40 -06:00
Mend Renovate
b0c071b496
fix(deps): update go ( #453 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-01-25 09:52:35 -06:00
Mend Renovate
e8c3438638
fix(deps): update go ( #386 )
...
Co-authored-by: Ian Lewis <ianlewis@google.com >
2022-12-15 01:39:54 +00:00
Shunsuke Suzuki
74fd528309
fix: fix the Go package version to v2 ( #373 )
...
* fix: fix the package version to v2
```
git ls-files | grep ".go$" | xargs -n 1 gsed -i "s|github.com/slsa-framework/slsa-verifier|github.com/slsa-framework/slsa-verifier/v2|g"
```
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* fix: fix the package version to v2
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* test: fix source
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
2022-12-01 18:49:39 -08:00
WhiteSource Renovate
a5568ee8ba
fix(deps): update module github.com/spf13/cobra to v1.6.1 ( #340 )
...
Co-authored-by: asraa <asraa@google.com >
2022-10-31 18:24:56 +00:00
Ian Lewis
c845407336
Update sigstore libraries ( #326 )
...
* Update sigstore libraries
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
* Update slsa-github-generator
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
* go mod tidy
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
Co-authored-by: asraa <asraa@google.com >
2022-10-27 14:36:36 +00:00
asraa
05d247fb14
rekor: use rekor client with retries ( #301 )
...
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
2022-10-17 16:55:40 +00:00
WhiteSource Renovate
beada4bd09
fix(deps): update module github.com/go-openapi/runtime to v0.24.2 ( #304 )
...
Co-authored-by: asraa <asraa@google.com >
2022-10-17 16:33:55 +00:00
WhiteSource Renovate
4f09605a47
fix(deps): update module github.com/sigstore/sigstore to v1.4.4 ( #294 )
...
Co-authored-by: asraa <asraa@google.com >
2022-10-12 14:26:35 +00:00
asraa
936dc46aca
ci: fix path to config ( #297 )
...
Signed-off-by: Asra Ali <asraa@google.com >
use k8s versioning to show commit and tree state
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
2022-10-08 18:31:10 +00:00
WhiteSource Renovate
7bb343116e
fix(deps): update module github.com/sigstore/sigstore to v1.4.2 ( #272 )
...
Co-authored-by: asraa <asraa@google.com >
2022-09-26 11:35:50 +00:00
WhiteSource Renovate
5f98831104
fix(deps): update module github.com/sigstore/sigstore to v1.4.1 ( #263 )
2022-09-23 14:04:06 +00:00
WhiteSource Renovate
78a225d3bd
fix(deps): update module github.com/sigstore/cosign to v1.12.0 ( #264 )
2022-09-19 16:33:55 -04:00
WhiteSource Renovate
cddba700c8
fix(deps): update module github.com/google/go-cmp to v0.5.9 ( #253 )
...
Co-authored-by: asraa <asraa@google.com >
2022-09-14 17:47:23 +00:00
laurentsimon
d12dce9526
feat: CLI tests for GCB verification ( #251 )
...
* update
* update
* update
2022-09-08 13:36:56 -07:00
laurentsimon
d5b56c334e
feat: add CLI tests for GCB verification ( #245 )
...
* update
* update
* update
* update
2022-09-02 20:42:40 +00:00
WhiteSource Renovate
0ff60a240a
fix(deps): update module github.com/sigstore/cosign to v1.11.1 ( #239 )
...
Co-authored-by: asraa <asraa@google.com >
2022-09-01 15:31:07 +00:00
laurentsimon
26c928f5b7
Verify text provenance for GCB ( #242 )
...
* update
* update
* update
* update
* update
* comments
* comments
2022-08-30 23:08:46 +00:00
WhiteSource Renovate
3fc1dbde46
fix(deps): update module github.com/sigstore/rekor to v0.11.0 ( #225 )
2022-08-23 09:38:20 -05:00
WhiteSource Renovate
ab0daccd34
fix(deps): update module github.com/sigstore/cosign to v1.11.0 ( #224 )
...
Co-authored-by: asraa <asraa@google.com >
2022-08-23 14:13:21 +00:00
WhiteSource Renovate
459608e7d8
fix(deps): update module github.com/go-openapi/swag to v0.22.3 ( #215 )
2022-08-19 11:55:11 -07:00
asraa
7b4b9cde06
feat: support oci image verification ( #147 )
...
* feat: support oci image verification
Signed-off-by: Asra Ali <asraa@google.com >
* add testing folder
Signed-off-by: Asra Ali <asraa@google.com >
* update name and make fix
Signed-off-by: Asra Ali <asraa@google.com >
* add tests
Signed-off-by: Asra Ali <asraa@google.com >
* Add initial testing
Signed-off-by: Asra Ali <asraa@google.com >
* updated comments
Signed-off-by: Asra Ali <asraa@google.com >
* update
Signed-off-by: Asra Ali <asraa@google.com >
* fix digest calculation
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2022-08-17 15:59:01 -05:00
