Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: improve the verification message #2268

Merged
merged 1 commit into from
Sep 23, 2022

Conversation

developer-guy
Copy link
Member

@developer-guy developer-guy commented Sep 20, 2022

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com

Fixes #2216

Summary

Release Note

feat: print the names of custom extensions (like "GitHub Workflow Trigger") rather than OIDs (like 1.3.6.1.4.1.57264.1.2) in the human-readable output of cosign verify{,-attestation}, and use field names (githubWorkflowTrigger) in keys of the JSON output of these commands (the old OID keys are kept for backwards compatibility, but they are deprecated and their use is discouraged).

thx to @znewman01

Documentation

/cc @znewman01

@codecov-commenter
Copy link

codecov-commenter commented Sep 20, 2022

Codecov Report

Merging #2268 (1707d00) into main (0baa044) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #2268   +/-   ##
=======================================
  Coverage   28.57%   28.57%           
=======================================
  Files         131      131           
  Lines        7866     7866           
=======================================
  Hits         2248     2248           
  Misses       5311     5311           
  Partials      307      307           
Impacted Files Coverage Δ
cmd/cosign/cli/verify/verify.go 5.97% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Copy link
Contributor

@znewman01 znewman01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great!

Three points:

  1. It's technically a backwards-incompatible change. If you were relying on the output of Cosign, which should stay relatively stable, using jq or similar and looking for the OIDs, this will break that.

    I think we should do both: set ss.Optional[cosign.CertExtensionGitHubWorkflowTrigger] and ss.Optional[cosign.CertExtensionMap[...]].

  2. Is there a good way to test this? I know there's no verify_test.go right now. Can you make a (very simple!) one for the JSON output?

  3. cosign verify-blob doesn't use PrintVerification like cosign verify and cosign verify-attestation! It may or may not make sense to use PrintVerification there, but we should at least improve the output. You don't need to fix this, but it'd be great if you could file a bug.

@znewman01
Copy link
Contributor

Oh, and can you make the release note a little more detailed? Something like:

feat: print the names of custom extensions (like "GitHub Workflow Trigger") rather than OIDs (like 1.3.6.1.4.1.57264.1.2) in the human-readable output of cosign verify{,-attestation}, and use field names (githubWorkflowTrigger) in keys of the JSON output of these commands (the old OID keys are kept for backwards compatibility, but they are deprecated and their use is discouraged).

@developer-guy developer-guy force-pushed the feature/2216 branch 2 times, most recently from 8cf81ab to 25381b2 Compare September 22, 2022 09:30
@developer-guy
Copy link
Member Author

It's technically a backwards-incompatible change. If you were relying on the output of Cosign, which should stay relatively stable, using jq or similar and looking for the OIDs, this will break that.

Done 🕺🏻

Is there a good way to test this? I know there's no verify_test.go right now. Can you make a (very simple!) one for the JSON output?

Done 🥳

Thx for the really valuable comments and feedbacks ! 🫶

test/cert_utils.go Outdated Show resolved Hide resolved
)

func TestPrintVerification(t *testing.T) {
wantPayload := `
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment about how we want both the OIDs and the cleaned up names for backwards compatibility?

cmd/cosign/cli/verify/verify_test.go Show resolved Hide resolved
"testing"
)

func TestPrintVerification(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you really want, you can add a test for the text-style output (not JSON). But that's totally optional for this PR

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we can do this later, wdyt?

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dlorenc dlorenc merged commit 04b96dd into sigstore:main Sep 23, 2022
@github-actions github-actions bot added this to the v1.13.0 milestone Sep 23, 2022
jeff-mccoy referenced this pull request in zarf-dev/zarf Oct 7, 2022
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/sigstore/cosign](https://togithub.com/sigstore/cosign) |
require | minor | `v1.12.1` -> `v1.13.0` |

---

### Release Notes

<details>
<summary>sigstore/cosign</summary>

###
[`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0)

> # Highlights
>
> - For users who have deployed a private instance of Fulcio release
v0.6.x and issue certificates with the Username identity, you will need
to upgrade to use this version."

#### Enhancements

- Add support for Fulcio username identity in SAN
([/~https://github.com/sigstore/cosign/pull/2291](https://togithub.com/sigstore/cosign/pull/2291))
- Data race in FetchSignaturesForReference
([/~https://github.com/sigstore/cosign/pull/2283](https://togithub.com/sigstore/cosign/pull/2283))
- Check error on chain verification failure
([/~https://github.com/sigstore/cosign/pull/2284](https://togithub.com/sigstore/cosign/pull/2284))
- feat: improve the verification message
([/~https://github.com/sigstore/cosign/pull/2268](https://togithub.com/sigstore/cosign/pull/2268))
- feat: use stdin as an input for predicate
([/~https://github.com/sigstore/cosign/pull/2269](https://togithub.com/sigstore/cosign/pull/2269))

#### Bug Fixes

- fix: make tlog entry lookups for online verification shard-aware
([/~https://github.com/sigstore/cosign/pull/2297](https://togithub.com/sigstore/cosign/pull/2297))
- Fix: Create a static copy of signatures as part of verification.
([/~https://github.com/sigstore/cosign/pull/2287](https://togithub.com/sigstore/cosign/pull/2287))
- Fix: Remove an extra registry request from verification path.
([/~https://github.com/sigstore/cosign/pull/2285](https://togithub.com/sigstore/cosign/pull/2285))
- fix pivtool generate key touch policy
([/~https://github.com/sigstore/cosign/pull/2282](https://togithub.com/sigstore/cosign/pull/2282))

#### Others

- use scaffolding 0.4.8 for tests.
([/~https://github.com/sigstore/cosign/pull/2280](https://togithub.com/sigstore/cosign/pull/2280))

#### Contributors

-   Asra Ali ([@&#8203;asraa](https://togithub.com/asraa))
- Batuhan Apaydın
([@&#8203;developer-guy](https://togithub.com/developer-guy))
- Carlos Tadeu Panato Junior
([@&#8203;cpanato](https://togithub.com/cpanato))
- Hayden Blauzvern
([@&#8203;haydentherapper](https://togithub.com/haydentherapper))
-   Matt Moore ([@&#8203;mattmoor](https://togithub.com/mattmoor))
-   Ross Tannenbaum ([@&#8203;RTann](https://togithub.com/RTann))
-   Ville Aikas ([@&#8203;vaikas](https://togithub.com/vaikas))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click
this checkbox.

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4yMjIuMyIsInVwZGF0ZWRJblZlciI6IjMyLjIyMi4zIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Noxsios referenced this pull request in zarf-dev/zarf Mar 8, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/sigstore/cosign](https://togithub.com/sigstore/cosign) |
require | minor | `v1.12.1` -> `v1.13.0` |

---

### Release Notes

<details>
<summary>sigstore/cosign</summary>

###
[`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0)

> # Highlights
>
> - For users who have deployed a private instance of Fulcio release
v0.6.x and issue certificates with the Username identity, you will need
to upgrade to use this version."

#### Enhancements

- Add support for Fulcio username identity in SAN
([/~https://github.com/sigstore/cosign/pull/2291](https://togithub.com/sigstore/cosign/pull/2291))
- Data race in FetchSignaturesForReference
([/~https://github.com/sigstore/cosign/pull/2283](https://togithub.com/sigstore/cosign/pull/2283))
- Check error on chain verification failure
([/~https://github.com/sigstore/cosign/pull/2284](https://togithub.com/sigstore/cosign/pull/2284))
- feat: improve the verification message
([/~https://github.com/sigstore/cosign/pull/2268](https://togithub.com/sigstore/cosign/pull/2268))
- feat: use stdin as an input for predicate
([/~https://github.com/sigstore/cosign/pull/2269](https://togithub.com/sigstore/cosign/pull/2269))

#### Bug Fixes

- fix: make tlog entry lookups for online verification shard-aware
([/~https://github.com/sigstore/cosign/pull/2297](https://togithub.com/sigstore/cosign/pull/2297))
- Fix: Create a static copy of signatures as part of verification.
([/~https://github.com/sigstore/cosign/pull/2287](https://togithub.com/sigstore/cosign/pull/2287))
- Fix: Remove an extra registry request from verification path.
([/~https://github.com/sigstore/cosign/pull/2285](https://togithub.com/sigstore/cosign/pull/2285))
- fix pivtool generate key touch policy
([/~https://github.com/sigstore/cosign/pull/2282](https://togithub.com/sigstore/cosign/pull/2282))

#### Others

- use scaffolding 0.4.8 for tests.
([/~https://github.com/sigstore/cosign/pull/2280](https://togithub.com/sigstore/cosign/pull/2280))

#### Contributors

-   Asra Ali ([@&#8203;asraa](https://togithub.com/asraa))
- Batuhan Apaydın
([@&#8203;developer-guy](https://togithub.com/developer-guy))
- Carlos Tadeu Panato Junior
([@&#8203;cpanato](https://togithub.com/cpanato))
- Hayden Blauzvern
([@&#8203;haydentherapper](https://togithub.com/haydentherapper))
-   Matt Moore ([@&#8203;mattmoor](https://togithub.com/mattmoor))
-   Ross Tannenbaum ([@&#8203;RTann](https://togithub.com/RTann))
-   Ville Aikas ([@&#8203;vaikas](https://togithub.com/vaikas))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click
this checkbox.

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4yMjIuMyIsInVwZGF0ZWRJblZlciI6IjMyLjIyMi4zIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

use proper naming for Sigstore OID information inside verification message
5 participants