Skip to content

Add support for verifying multiple artifacts #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Mar 14, 2025
Merged

Add support for verifying multiple artifacts #431

merged 17 commits into from
Mar 14, 2025

Conversation

malancas
Copy link
Collaborator

@malancas malancas commented Mar 11, 2025
edited
Loading

Summary

Closes #363

This adds support for verifying multiple artifacts against in-toto statement subjects. I added verify.WithArtifacts(artifacts []io.Reader) and verify.WithArtifactDigests([]ArtifactDigest).

To avoid creating nested for loops when checking for the presence of artifacts in the intoto statement, I utilized maps to store subjects stored in the statement by hash algorithm.

Release Note

Documentation

malancas added 12 commits March 7, 2025 09:51
@malancas
add funcs for verifying signatures with multiple subject digests
0e916d7 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add support for verifying with multiple subject digests
91006d0 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add initial support for verifying by multiple artifacts
ea64050 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add method for checking if artifact verification func is already set
c6d9304 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add tests for new multi subject functions
0cdf904 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
update error messages
54b0762 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add missing verify option check
d821fea 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
add logic for breaking loop when a match is found for the verify with…
c8180df 
… artifacts func

Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
digest helper func
955cfb8 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
comments
9bc3de6 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
simplify test
7fba865 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas
reuse multi artifact verification
c0e1859 
Signed-off-by: Meredith Lancaster <[email protected]>
@malancas malancas changed the title Add support for verifying of multiple subjects Add support for verifying multiple artifacts Mar 11, 2025
@codysoyland
Copy link
Member

This looks great so far, nice work! I'll give it a more thorough pass when out of draft.

@malancas
add test calls to check that the functions fail when passed artifacts…
27be243 
… not included in the intoto statement

Signed-off-by: Meredith Lancaster <[email protected]>
malancas
malancas commented Mar 11, 2025
View reviewed changes
@malancas malancas marked this pull request as ready for review March 11, 2025 19:35
@malancas malancas requested a review from a team as a code owner March 11, 2025 19:35
@malancas
keep original var name
7e604f5 
Signed-off-by: Meredith Lancaster <[email protected]>
steiza
steiza reviewed Mar 13, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great!

It would expand the scope of the pull request a bit, but I'm wondering if we should get rid of VerifySignatureWithArtifact and VerifySignatureWithArtifactDigest completely and just use VerifySignatureWithArtifacts and VerifySignatureWithArtifactDigests.

Technically those methods are part of a public API, but from some quick searching of various projects nobody is calling them directly (they're using things like WithArtifact and WithArtifactDigest to construct the policy).

Then we could also get rid of PolicyConfig options like verifyArtifact, artifact, verifyArtifactDigest, and artifactDigest.

What do you think? We'd have to update more files (like pkg/verify/fuzz_test.go) but I think it would actually simplify changes in other places. Just to be clear, we would retain WithArtifact and WithArtifactDigest as convenience functions.

@malancas
Copy link
Collaborator Author

malancas commented Mar 14, 2025
edited
Loading

This looks great!

It would expand the scope of the pull request a bit, but I'm wondering if we should get rid of VerifySignatureWithArtifact and VerifySignatureWithArtifactDigest completely and just use VerifySignatureWithArtifacts and VerifySignatureWithArtifactDigests.

Technically those methods are part of a public API, but from some quick searching of various projects nobody is calling them directly (they're using things like WithArtifact and WithArtifactDigest to construct the policy).

Then we could also get rid of PolicyConfig options like verifyArtifact, artifact, verifyArtifactDigest, and artifactDigest.

What do you think? We'd have to update more files (like pkg/verify/fuzz_test.go) but I think it would actually simplify changes in other places. Just to be clear, we would retain WithArtifact and WithArtifactDigest as convenience functions.

That sounds good for me. Should be easy to update tests. I'll keep WithArtifact and WithArtifactDigest intact.

steiza
steiza approved these changes Mar 14, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@steiza steiza merged commit b2d5707 into sigstore:main Mar 14, 2025
11 checks passed
@malancas malancas deleted the multi-subject-verification branch March 14, 2025 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steiza steiza steiza approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support verification of multiple subjects
3 participants
@malancas @codysoyland @steiza