This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
Add an endorser command line tool #240
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tiziano88
approved these changes
Jul 21, 2023
cmd/endorser/README.md
Outdated
| generates an endorsement statement, with the given provenances listed in the endorsement statement's | ||
| evidence field. | ||
|
|
||
| Example execution with not provenances: |
There was a problem hiding this comment.
Suggested change
| Example execution with not provenances: | |
| Example execution without provenances: |
cmd/endorser/main.go
Outdated
| ) | ||
|
|
||
| // layout represents the expected date format. | ||
| const layout = "20060102" |
cmd/endorser/main.go
Outdated
Comment on lines
58
to
66
| binaryDigest := flag.String("binary_digest", "", "Digest of the binary to endorse, of the form alg:value. Accepted values for alg include sha256, and sha2-256") | ||
| binaryName := flag.String("binary_name", "", "Name of the binary to endorse. Should match the name in provenances, if provenance URIs are provided.") | ||
| verificationOptions := flag.String("verification_options", "", "Output path to a textproto file containing verification options.") | ||
| endorsementPath := flag.String("endorsement_path", "endorsement.json", "Output path to store the generated endorsement statement in.") | ||
| notBefore := flag.String("not_before", defaultNotBefore, | ||
| "Optional - The date from which the endorsement is effective. The expected date format is YYYYMMDD. Defaults to 1 day after the issuance date.") | ||
| notAfter := flag.String("not_after", defaultNotAfter, | ||
| "Required - The expiry date of the endorsement. The expected date format is YYYYMMDD. Defaults to 90 day after the issuance date.") | ||
| flag.Var(&provenanceURIs, "provenance_uris", "URIs of the provenances.") |
There was a problem hiding this comment.
I think flags are normally in the top level scope, unless they need to be dynamically generated.
cmd/endorser/main.go
Outdated
| binaryName := flag.String("binary_name", "", "Name of the binary to endorse. Should match the name in provenances, if provenance URIs are provided.") | ||
| verificationOptions := flag.String("verification_options", "", "Output path to a textproto file containing verification options.") | ||
| endorsementPath := flag.String("endorsement_path", "endorsement.json", "Output path to store the generated endorsement statement in.") | ||
| notBefore := flag.String("not_before", defaultNotBefore, |
There was a problem hiding this comment.
Setting the default to a dynamic value seems confusing; if someone runs the --help command, they will see the default change all the time I think? It seems more appropriate to leave that empty, and if so rely on some logic to deal with the default
There was a problem hiding this comment.
Makes sense. Removed the defaults from the flag, but these defaults are used if no value is specified.
cmd/endorser/main.go
Outdated
|
|
||
| bytes, err := json.MarshalIndent(endorsement, "", " ") | ||
| if err != nil { | ||
| log.Fatalf("could not marshal the fuzzing claim: %v", err) |
There was a problem hiding this comment.
Good catch. sloppy copy-paste. Fixed.
cmd/endorser/main.go
Outdated
| } | ||
|
|
||
| func main() { | ||
| // Current time in UTC time zone since it is used by OSS-Fuzz. |
There was a problem hiding this comment.
What is the connection with OSS-Fuzz?
There was a problem hiding this comment.
Oops! Copy-paste! Fixed.
rbehjati
commented
Jul 21, 2023
cmd/endorser/README.md
Outdated
| generates an endorsement statement, with the given provenances listed in the endorsement statement's | ||
| evidence field. | ||
|
|
||
| Example execution with not provenances: |
cmd/endorser/main.go
Outdated
| ) | ||
|
|
||
| // layout represents the expected date format. | ||
| const layout = "20060102" |
There was a problem hiding this comment.
It is ISO 8601. Both YYYY-MM-DD and YYYYMMDD are allowed (wikipedia). But, changed it to YYYY-MM-DD.
cmd/endorser/main.go
Outdated
| } | ||
|
|
||
| func main() { | ||
| // Current time in UTC time zone since it is used by OSS-Fuzz. |
There was a problem hiding this comment.
Oops! Copy-paste! Fixed.
cmd/endorser/main.go
Outdated
| binaryName := flag.String("binary_name", "", "Name of the binary to endorse. Should match the name in provenances, if provenance URIs are provided.") | ||
| verificationOptions := flag.String("verification_options", "", "Output path to a textproto file containing verification options.") | ||
| endorsementPath := flag.String("endorsement_path", "endorsement.json", "Output path to store the generated endorsement statement in.") | ||
| notBefore := flag.String("not_before", defaultNotBefore, |
There was a problem hiding this comment.
Makes sense. Removed the defaults from the flag, but these defaults are used if no value is specified.
cmd/endorser/main.go
Outdated
Comment on lines
58
to
66
| binaryDigest := flag.String("binary_digest", "", "Digest of the binary to endorse, of the form alg:value. Accepted values for alg include sha256, and sha2-256") | ||
| binaryName := flag.String("binary_name", "", "Name of the binary to endorse. Should match the name in provenances, if provenance URIs are provided.") | ||
| verificationOptions := flag.String("verification_options", "", "Output path to a textproto file containing verification options.") | ||
| endorsementPath := flag.String("endorsement_path", "endorsement.json", "Output path to store the generated endorsement statement in.") | ||
| notBefore := flag.String("not_before", defaultNotBefore, | ||
| "Optional - The date from which the endorsement is effective. The expected date format is YYYYMMDD. Defaults to 1 day after the issuance date.") | ||
| notAfter := flag.String("not_after", defaultNotAfter, | ||
| "Required - The expiry date of the endorsement. The expected date format is YYYYMMDD. Defaults to 90 day after the issuance date.") | ||
| flag.Var(&provenanceURIs, "provenance_uris", "URIs of the provenances.") |
cmd/endorser/main.go
Outdated
|
|
||
| bytes, err := json.MarshalIndent(endorsement, "", " ") | ||
| if err != nil { | ||
| log.Fatalf("could not marshal the fuzzing claim: %v", err) |
There was a problem hiding this comment.
Good catch. sloppy copy-paste. Fixed.
rbehjati
force-pushed
the
cmd-endorser
branch
3 times, most recently
from
83bf39e
to
a81d632
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Have tested with the following commands:
Provenance-less endorsement:
Resulting endorsement:
{ "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://github.com/project-oak/transparent-release/claim/v1", "subject": [ { "name": "binary", "digest": { "sha256": "1234" } } ], "predicate": { "claimType": "https://github.com/project-oak/transparent-release/endorsement/v2", "issuedOn": "2023-07-20T19:38:48.780747796+01:00", "validity": { "notBefore": "2023-07-21T00:00:00Z", "notAfter": "2023-10-18T00:00:00Z" } } }Normal endorsement with linked provenance:
Resulting endorsement:
{ "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://github.com/project-oak/transparent-release/claim/v1", "subject": [ { "name": "oak_echo_raw_enclave_app", "digest": { "sha256": "39051983bbb600bbfb91bd22ee4c976420f8f0c6a895fd083dcb0d153ddd5fd6" } } ], "predicate": { "claimType": "https://github.com/project-oak/transparent-release/endorsement/v2", "issuedOn": "2023-07-20T19:33:34.793557441+01:00", "validity": { "notBefore": "2023-07-21T00:00:00Z", "notAfter": "2023-10-18T00:00:00Z" }, "evidence": [ { "role": "Provenance", "uri": "https://ent-server-62sa4xcfia-ew.a.run.app/raw/sha256:b28696a8341443e3ba433373c60fe1eba8d96f28c8aff6c5ee03d752dd3b399b", "digest": { "sha256": "b28696a8341443e3ba433373c60fe1eba8d96f28c8aff6c5ee03d752dd3b399b" } } ] } }