Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Should Archivista use DSSE envelope signature keyid as optional? #321

Closed
kairoaraujo opened this issue Jul 3, 2024 · 0 comments · Fixed by #362
Closed

[Bug]: Should Archivista use DSSE envelope signature keyid as optional? #321

kairoaraujo opened this issue Jul 3, 2024 · 0 comments · Fixed by #362
Assignees
@kairoaraujo
Labels
bug Something isn't working

Comments

@kairoaraujo
Copy link
Collaborator

What steps did you take and what happened:

As reported by Adam Nauth in our Slack channel

Using sigstore to sign some metadata - a key ID isn't part of the resulting data. https://github.com/sigstore/sigstore/blob/main/pkg/signature/dsse/dsse.go#L65
This means Archivista cannot handle it on upload - getting a key id length error when it's blank. Note: The DSSE allows key id to be blank.
Is there an alternative way to upload data without a key id?

What did you expect to happen:

Should the Archivista make key id optional while storing, see below some code track.

Anything else you would like to add:

sigstore dsse envelope signature from go-sslib
https://github.com/secure-systems-lab/go-securesystemslib/blob/69233cc2977ebd65aef18b14e4ee26fe090c5146/dsse/envelope.go#L35

archivista dsse envelope signature from go-witness
https://github.com/in-toto/go-witness/blob/1cf974d08dd9d3bf039644970cf02652916d0cd8/dsse/dsse.go#L73

We parse it and use key_id as NotEmpty

archivista/ent/schema/signature.go

Line 35 in cf77c3b

field.String("key_id").NotEmpty(),

@kairoaraujo kairoaraujo added the bug Something isn't working label Jul 3, 2024
@kairoaraujo kairoaraujo self-assigned this Aug 16, 2024
kairoaraujo added a commit to kairoaraujo/archivista that referenced this issue Aug 20, 2024
@kairoaraujo
fix: keyid is allowed to be empty
fc72540 
Using sigstore to sign some metadata, a key ID isn't part of the
resulting date.

Archivista cannot handle it on upload, getting a key id length
error when it's blank.

The DSSE specification allows key id to be blank.

closes in-toto#321

Signed-off-by: Kairo Araujo <[email protected]>
@kairoaraujo kairoaraujo mentioned this issue Aug 20, 2024
Merged
5 tasks
kairoaraujo added a commit to kairoaraujo/archivista that referenced this issue Aug 20, 2024
@kairoaraujo
fix: keyid is allowed to be empty
76a7ff3 
Using sigstore to sign some metadata, a key ID isn't part of the
resulting date.

Archivista cannot handle it on upload, getting a key id length
error when it's blank.

The DSSE specification allows key id to be blank.

closes in-toto#321

Signed-off-by: Kairo Araujo <[email protected]>
@jkjell jkjell closed this as completed in f872a7f Aug 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kairoaraujo kairoaraujo

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix DSSE Signature KeyID compatiblity with Sigstore signatures kairoaraujo/archivista
1 participant
@kairoaraujo