diff --git a/README.md b/README.md index 2b58de9..f7a1120 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ directory and perform the step. ```shell cd ../functionary_bob -in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git +in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git ``` Here is what happens behind the scenes: @@ -124,7 +124,7 @@ So first Bob records the state of the files he will modify: ```shell # In functionary_bob directory -in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py +in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py ``` Then Bob uses an editor of his choice to update the version number in `demo-project/foo.py`, e.g.: @@ -137,7 +137,7 @@ And finally he records the state of files after the modification and produces a link metadata file called `update-version.[Bob's keyid].link`. ```shell # In functionary_bob directory -in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py +in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py ``` Bob has done his work and can send over the sources to Carl, who will create @@ -154,7 +154,7 @@ to change to Carl's directory and create a package of the software project ```shell cd ../functionary_carl -in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project +in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project ``` This will create another step link metadata file, called `package.[Carl's keyid].link`. @@ -167,7 +167,7 @@ our software package `demo-project.tar.gz` and the related metadata files `root. `clone.[Bob's keyid].link`, `update-version.[Bob's keyid].link` and `package.[Carl's keyid].link`: ```shell cd .. -cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/ +cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/ ``` And now run verification on behalf of the client: ```shell @@ -175,7 +175,7 @@ cd final_product # Fetch Alice's public key from a trusted source to verify the layout signature # Note: The functionary public keys are fetched from the layout cp ../owner_alice/alice.pub . -in-toto-verify --layout root.layout --layout-key alice.pub +in-toto-verify --layout root.layout --verification-keys alice.pub ``` This command will verify that 1. the layout has not expired, @@ -208,19 +208,19 @@ Carl thought that this is the genuine code he got from Bob and unwittingly packages the tampered version of foo.py ```shell -in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project +in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project ``` and ships everything out as final product to the client: ```shell cd .. -cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/ +cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/ ``` ### Verifying the malicious product ```shell cd final_product -in-toto-verify --layout root.layout --layout-key alice.pub +in-toto-verify --layout root.layout --verification-keys alice.pub ``` This time, in-toto will detect that the product `foo.py` from Bob's `update-version` step was not used as material in Carl's `package` step (the verified hashes diff --git a/owner_alice/create_layout.py b/owner_alice/create_layout.py index 1f14c54..2850afa 100644 --- a/owner_alice/create_layout.py +++ b/owner_alice/create_layout.py @@ -1,16 +1,19 @@ -from securesystemslib import interface -from securesystemslib.signer import SSlibSigner +from cryptography.hazmat.primitives.serialization import load_pem_private_key +from securesystemslib.signer import CryptoSigner from in_toto.models.layout import Layout from in_toto.models.metadata import Envelope - +# https://github.com/in-toto/in-toto/issues/663 +from in_toto.models._signer import load_public_key_from_file def main(): # Load Alice's private key to later sign the layout - key_alice = interface.import_rsa_privatekey_from_file("alice") - signer_alice = SSlibSigner(key_alice) + with open("alice", "rb") as f: + key_alice = load_pem_private_key(f.read(), None) + + signer_alice = CryptoSigner(key_alice) # Fetch and load Bob's and Carl's public keys # to specify that they are authorized to perform certain step in the layout - key_bob = interface.import_rsa_publickey_from_file("../functionary_bob/bob.pub") - key_carl = interface.import_rsa_publickey_from_file("../functionary_carl/carl.pub") + key_bob = load_public_key_from_file("../functionary_bob/bob.pub") + key_carl = load_public_key_from_file("../functionary_carl/carl.pub") layout = Layout.read({ "_type": "layout", diff --git a/requirements.txt b/requirements.txt index a6ee547..54171f7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1,2 @@ in-toto==2.3.0 +cryptography==42.0.7 diff --git a/run_demo.py b/run_demo.py index 8c5c32e..0a34f24 100644 --- a/run_demo.py +++ b/run_demo.py @@ -33,7 +33,7 @@ def supply_chain(): " --verbose" " --use-dsse" " --step-name clone --products demo-project/foo.py" - " --key bob -- git clone https://github.com/in-toto/demo-project.git") + " --signing-key bob -- git clone https://github.com/in-toto/demo-project.git") print(clone_cmd) subprocess.call(shlex.split(clone_cmd)) @@ -43,7 +43,7 @@ def supply_chain(): " --verbose" " --use-dsse" " --step-name update-version" - " --key bob" + " --signing-key bob" " --materials demo-project/foo.py") print(update_version_start_cmd) @@ -58,7 +58,7 @@ def supply_chain(): " --verbose" " --use-dsse" " --step-name update-version" - " --key bob" + " --signing-key bob" " --products demo-project/foo.py") print(update_version_stop_cmd) @@ -73,7 +73,7 @@ def supply_chain(): " --use-dsse" " --step-name package --materials demo-project/foo.py" " --products demo-project.tar.gz" - " --key carl --record-streams" + " --signing-key carl --record-streams" " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project") print(package_cmd) subprocess.call(shlex.split(package_cmd)) @@ -82,9 +82,9 @@ def supply_chain(): prompt_key("Create final product") os.chdir("..") copyfile("owner_alice/root.layout", "final_product/root.layout") - copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link") - copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link") - copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link") + copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link") + copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link") + copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link") copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz") @@ -94,7 +94,7 @@ def supply_chain(): verify_cmd = ("in-toto-verify" " --verbose" " --layout root.layout" - " --layout-key alice.pub") + " --verification-keys alice.pub") print(verify_cmd) retval = subprocess.call(shlex.split(verify_cmd)) print("Return value: " + str(retval)) @@ -115,7 +115,7 @@ def supply_chain(): " --use-dsse" " --step-name package --materials demo-project/foo.py" " --products demo-project.tar.gz" - " --key carl --record-streams" + " --signing-key carl --record-streams" " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project") print(package_cmd) subprocess.call(shlex.split(package_cmd)) @@ -124,9 +124,9 @@ def supply_chain(): prompt_key("Create final product") os.chdir("..") copyfile("owner_alice/root.layout", "final_product/root.layout") - copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link") - copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link") - copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link") + copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link") + copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link") + copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link") copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz") @@ -136,7 +136,7 @@ def supply_chain(): verify_cmd = ("in-toto-verify" " --verbose" " --layout root.layout" - " --layout-key alice.pub") + " --verification-keys alice.pub") print(verify_cmd) retval = subprocess.call(shlex.split(verify_cmd)) @@ -154,17 +154,17 @@ def main(): if args.clean: files_to_delete = [ "owner_alice/root.layout", - "functionary_bob/clone.776a00e2.link", - "functionary_bob/update-version.776a00e2.link", + "functionary_bob/clone.210dcc50.link", + "functionary_bob/update-version.210dcc50.link", "functionary_bob/demo-project", - "functionary_carl/package.2f89b927.link", + "functionary_carl/package.be06db20.link", "functionary_carl/demo-project.tar.gz", "functionary_carl/demo-project", "final_product/alice.pub", "final_product/demo-project.tar.gz", - "final_product/package.2f89b927.link", - "final_product/clone.776a00e2.link", - "final_product/update-version.776a00e2.link", + "final_product/package.be06db20.link", + "final_product/clone.210dcc50.link", + "final_product/update-version.210dcc50.link", "final_product/untar.link", "final_product/root.layout", "final_product/demo-project", diff --git a/run_demo_md.py b/run_demo_md.py index ba02338..6082fe1 100644 --- a/run_demo_md.py +++ b/run_demo_md.py @@ -40,35 +40,28 @@ + python create_layout.py Created demo in-toto layout as "root.layout". + cd ../functionary_bob -+ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git -'-k', '--key' is deprecated, use '--signing-key' instead. -+ in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py -'-k', '--key' is deprecated, use '--signing-key' instead. ++ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git ++ in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py + sed -i.bak s/v0/v1/ demo-project/foo.py + rm demo-project/foo.py.bak -+ in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py -'-k', '--key' is deprecated, use '--signing-key' instead. ++ in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py + cp -r demo-project ../functionary_carl/ + cd ../functionary_carl -+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project -'-k', '--key' is deprecated, use '--signing-key' instead. ++ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project + cd .. -+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/ ++ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/ + cd final_product + cp ../owner_alice/alice.pub . -+ in-toto-verify --layout root.layout --layout-key alice.pub -'-k', '--layout-keys' is deprecated, use '--verification-keys' instead. ++ in-toto-verify --layout root.layout --verification-keys alice.pub + echo 0 0 + cd ../functionary_carl + echo something evil -+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project -'-k', '--key' is deprecated, use '--signing-key' instead. ++ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project + cd .. -+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/ ++ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/ + cd final_product -+ in-toto-verify --layout root.layout --layout-key alice.pub -'-k', '--layout-keys' is deprecated, use '--verification-keys' instead. ++ in-toto-verify --layout root.layout --verification-keys alice.pub (in-toto-verify) RuleVerificationError: 'DISALLOW *' matched the following artifacts: ['demo-project/foo.py'] Full trace for 'expected_materials' of item 'package': Available materials (used for queue):