Added guac support in verifier #39
Conversation
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
|
Most of utilities are expanding GUAC's functionality. such as parsing predicates from GUAC model, which does not directly relates to the attestation-verifier. Perhaps we could discuss reaching out to GUAC maintainers to integrate these utilities into the GUAC API? What are your thoughts on this, @SantiagoTorres? |
|
Hey @PradyumnaKrishna, the guac related utility are actually taken from guac known query command. It is just used to retrieve slsa and sbom from graphql server. |
Signed-off-by: Yaxhveer <[email protected]>
|
Yes, You did a great job there! I was thinking that if the utilities were integrated into the GUAC library, it would allow us to easily retrieve the parsed Predicate according to the specifications. It could potentially benefit others using the GUAC library, although I'm not entirely sure. |
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
|
Hi both: before you go too far, would it be worthwhile to have a chat about what you are trying to do, and what the best approach might be? 🙂 |
|
Hey @trishankatdatadog, I am currently contributing as an LFX mentee in in-toto for the project to add native support of GUAC in in-toto. Aim of the project is to retrieve attestation from guac graphql server using purl and verify them against layout. |
Signed-off-by: Yaxhveer <[email protected]>
Understood.
Before you go too far, we should talk about your approach, though. I'll DM you on Slack, and we'll go from there. Thanks! |
|
Actually, I don't see your name on Slack... |
|
@trishankatdatadog Ok, I will dm you. |
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Yaxhveer
changed the title
Signed-off-by: Yaxhveer <[email protected]>
Signed-off-by: Yaxhveer <[email protected]>
Yaxhveer
requested review from
adityasaky,
marcelamelara and
trishankatdatadog
as code owners
|
Since this PR is still in draft, can we convert this to a draft PR until it's actually ready for review? |
Yaxhveer
changed the title
|
Hey @marcelamelara, the PR is ready for review. |
There was a problem hiding this comment.
I'm sorry, I really don't understand the point of this PR.
Why not simply do all the work of fetching attestations from GUAC and signing them (are they currently unsigned?) outside of attestation-verifier? You could prepare this bundle of attestations however you like, and after that simply call the attestation-verifier unchanged.
While we are interested in whether we should instruct the attestation-verifier how to dynamically fetch and compile a bundle attestations at the time of verification, I don't feel that this PR solves that problem in a general manner. Unfortunately, it only works for GUAC, and it'd be much nicer to have a more general mechanism that works with different attestation storage backends.
|
Disclaimer: I haven't had a chance to review this PR yet.
True, but there are a lot of places to draw the line. That functionality could be in a separate repo, a separate package with its own
I agree we want to make this generic eventually (eg. support for archivista, OCI, etc.) but I don't think we can start with a fully generic solution. In fact, my hunch is that the guac integration is likely to be the most distinct of these backends (eg. less straightforward queries, the fact that attestations are constructed for the query raising questions about whether they're signed, etc.), so exploring that one also is very reasonable to me. We could probably combine our experiences / findings of the guac integration with the experiences integrating witness and archivista to construct the generic mechanism for fetching from attestation storage backends. |
The PR allow us to retrieve attestations (slsa and sbom) from the GUAC GraphQL server and proceed with the verification of the attestations. We can save these retrieved attestations using the
--save-attestationflag. To specify which step's attestation should be retrieved from the GraphQL server, thefromGuacfield has been added to the layout structure. Setting this field to true within a step indicates that the attestation will be fetched from the GUAC server.We can define a subject in the layout, which will be used to retrieve the relevant attestation. The subject field is optional, and users can also pass it though the command line using the
--subject/-sflag. The subject can be a package (purl) or an artifact (alg:hash).Layout structure:
Command:
attestation-verifier -l layouts/layout.yml -a test-data -s pkg:guac/generic/bin/fooAlso the attestation step name is matched against it origin file name.
Once the attestation is retrieved, it is wrapped in a DSSE envelope, which would requires a private key. One can either provide the key as a PEM file, or the verifier can generate a private key. This private key is then added as a functionary for the respective step. After being encapsulated in a DSSE envelope, the attestations are passed through the ITE-10 verifier, where the artifact rules are verified.