Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Verification on signing PRs: Detect correct repository and filtering output #497

Open
asraa opened this issue Oct 20, 2022 · 1 comment
Open

Improve Verification on signing PRs: Detect correct repository and filtering output #497

asraa opened this issue Oct 20, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@asraa
Copy link
Contributor

asraa commented Oct 20, 2022

cc @kommendorkapten

Description

Currently, verifiers run something like:

REPO=ceremony/YYYY-MM-DD ./scripts/verify.sh

This script runs an entire suite of verification commands that can apply to any type of PR run or repository (incomplete, complete).

root-signing/scripts/verify.sh

Lines 55 to 66 in 4c151b3

# Verify keys if keys/ repository exists. It does not in the top-level published repository/
if [ -d "$REPO"/keys ]; then
./verify keys --root piv-attestation-ca.pem --key-directory "$REPO"/keys
fi
# If staged metadata exists, verify the staged repository
if [ -f "$REPO"/staged/root.json ]; then
./verify repository --repository "$REPO" --staged
fi
# If published data exists, verify against a root
if [ -f "$REPO"/repository/1.root.json ]; then
./verify repository --repository "$REPO" --root "$REPO"/repository/1.root.json
fi

Instead, there are really only a few types of events verifiers need to look for:

  • Verification of committed HSM key data only (used for initializing new metadata, no signatures present). This is the key command

    root-signing/cmd/verify/app/keys.go

    Line 182 in 4c151b3

    rootCmd.AddCommand(keyCmd)
  • Verification of some present signatures (for any signing events). This is "verifying staged metadata" in here.
  • Verification of a full entire-ty of metadata. This is the verify metadata without the staged sub-command.

Idea:

  • Separate verification commands ./scripts/verify-signing.sh or ./scripts/verify-snapshot-timestamp.sh or ./scripts/verify-metadata.sh, ./scripts/verify-keys.sh, or give a select prompt if we want to maintain the single ./scripts/verify.sh` entrypoint. Document what users are expected to do in the different PR scenarios.
  • Separate the VerifyCmd to VerifyStagedCmd and VerifyRepositoryCmd to make it clear/subcommands.

Version
@asraa asraa added the bug Something isn't working label Oct 20, 2022
@asraa
Copy link
Contributor Author

asraa commented Oct 20, 2022

@kommendorkapten also brings the point of when verifying newly initialized metadata and we don't expect any sigs, we are also looking to identify other properties than keys: is the data well-formed? what are the expiries? This isn't handled by any of the commands right now.

Also: that probably makes sense under verifyStagedMetadata. Verifying signatures probably should be called verifySignatures at a top-level

@joshuagl joshuagl mentioned this issue Oct 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asraa