sigstore 0.1.1 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/sigstore/internal/json.rb +24 -13
- data/lib/sigstore/internal/x509.rb +3 -1
- data/lib/sigstore/models.rb +19 -5
- data/lib/sigstore/policy.rb +5 -3
- data/lib/sigstore/signer.rb +2 -2
- data/lib/sigstore/tuf/updater.rb +2 -0
- data/lib/sigstore/tuf.rb +1 -1
- data/lib/sigstore/verifier.rb +12 -3
- data/lib/sigstore/version.rb +1 -1
- data/lib/sigstore.rb +3 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fa312f6e10182026328d12ad51c96d3cbd38d42634f320cd2b070a1a0623b0c7
|
|
4
|
+
data.tar.gz: 306b5649f38263c3adaf0967dfb5dd6b3f635d481ac67628828bdeaa0f5284d9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f8349026b8a3ce937ff160f052a5d788a9e0b3c1d067687eb04a22ed4541a0ccf7dfb4fc41cb34eab72fc8a151c979e0ca844250ccfb677116fbfe23e299c230
|
|
7
|
+
data.tar.gz: 9a9e0d495263d824313815aad4b0daff4f920e5959b6f843b57b06dc4fa1f87f14d26a2ce3b10f5b3d3ce0ff824c0506e2fa55547c52341f8c792dcce79c2f5c
|
|
@@ -18,33 +18,44 @@ module Sigstore::Internal
|
|
|
18
18
|
module JSON
|
|
19
19
|
# Implements https://wiki.laptop.org/go/Canonical_JSON
|
|
20
20
|
#
|
|
21
|
-
|
|
22
|
-
# serializing into a buffer instead of concatenating strings.
|
|
23
|
-
def self.canonical_generate(data)
|
|
21
|
+
def self.canonical_generate(data, buffer = +"")
|
|
24
22
|
case data
|
|
25
23
|
when NilClass
|
|
26
|
-
"null"
|
|
24
|
+
buffer << "null"
|
|
27
25
|
when TrueClass
|
|
28
|
-
"true"
|
|
26
|
+
buffer << "true"
|
|
29
27
|
when FalseClass
|
|
30
|
-
"false"
|
|
28
|
+
buffer << "false"
|
|
31
29
|
when Integer
|
|
32
|
-
data.to_s
|
|
30
|
+
buffer << data.to_s
|
|
33
31
|
when String
|
|
34
|
-
"
|
|
32
|
+
buffer << '"' << data.gsub(/(["\\])/, '\\\\\1') << '"'
|
|
35
33
|
when Array
|
|
36
|
-
|
|
37
|
-
|
|
34
|
+
buffer << "["
|
|
35
|
+
data.each_with_index do |v, i|
|
|
36
|
+
buffer << "," unless i.zero?
|
|
37
|
+
canonical_generate(v, buffer)
|
|
38
|
+
end
|
|
39
|
+
buffer << "]"
|
|
38
40
|
when Hash
|
|
39
41
|
contents = data.sort_by do |k, _|
|
|
40
42
|
raise ArgumentError, "Non-string key in hash" unless k.is_a?(String)
|
|
41
43
|
|
|
42
44
|
k.encode("utf-16").codepoints
|
|
43
45
|
end
|
|
44
|
-
|
|
45
|
-
|
|
46
|
+
buffer << "{"
|
|
47
|
+
comma = false
|
|
48
|
+
contents.each do |k, v|
|
|
49
|
+
if comma
|
|
50
|
+
buffer << ","
|
|
51
|
+
else
|
|
52
|
+
comma = true
|
|
53
|
+
end
|
|
54
|
+
canonical_generate(k, buffer)
|
|
55
|
+
buffer << ":"
|
|
56
|
+
canonical_generate(v, buffer)
|
|
46
57
|
end
|
|
47
|
-
"
|
|
58
|
+
buffer << "}"
|
|
48
59
|
else
|
|
49
60
|
raise ArgumentError, "Unsupported data type: #{data.class}"
|
|
50
61
|
end
|
|
@@ -38,6 +38,8 @@ module Sigstore
|
|
|
38
38
|
|
|
39
39
|
def self.read(certificate_bytes)
|
|
40
40
|
new(OpenSSL::X509::Certificate.new(certificate_bytes))
|
|
41
|
+
rescue OpenSSL::X509::CertificateError => e
|
|
42
|
+
raise Error::InvalidCertificate, e.message
|
|
41
43
|
end
|
|
42
44
|
|
|
43
45
|
def tbs_certificate_der
|
|
@@ -104,7 +106,7 @@ module Sigstore
|
|
|
104
106
|
|
|
105
107
|
key_usage = extension(Extension::KeyUsage) ||
|
|
106
108
|
raise(Error::InvalidCertificate,
|
|
107
|
-
"no keyUsage in #{
|
|
109
|
+
"no keyUsage in #{openssl.extensions.map(&:to_h)}")
|
|
108
110
|
|
|
109
111
|
unless key_usage.digital_signature
|
|
110
112
|
raise Error::InvalidCertificate,
|
data/lib/sigstore/models.rb
CHANGED
|
@@ -80,6 +80,12 @@ module Sigstore
|
|
|
80
80
|
|
|
81
81
|
def initialize(*)
|
|
82
82
|
super
|
|
83
|
+
|
|
84
|
+
unless bundle.is_a?(Bundle::V1::Bundle)
|
|
85
|
+
raise ArgumentError,
|
|
86
|
+
"bundle must be a #{Bundle::V1::Bundle}, is #{bundle.class}"
|
|
87
|
+
end
|
|
88
|
+
|
|
83
89
|
@trusted_root = TrustedRoot.new(artifact_trust_root)
|
|
84
90
|
@sbundle = SBundle.new(bundle)
|
|
85
91
|
if sbundle.message_signature? && !artifact
|
|
@@ -138,13 +144,19 @@ module Sigstore
|
|
|
138
144
|
expected_hashed_rekord_tlog_entry(hashed_input)
|
|
139
145
|
when :dsse_envelope
|
|
140
146
|
rekor_entry = verification_material.tlog_entries.first
|
|
141
|
-
|
|
147
|
+
canonicalized_body = begin
|
|
148
|
+
JSON.parse(rekor_entry.canonicalized_body)
|
|
149
|
+
rescue JSON::ParserError
|
|
150
|
+
raise Error::InvalidBundle, "expected canonicalized_body to be JSON"
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
case kind_version = canonicalized_body.values_at("kind", "apiVersion")
|
|
142
154
|
when %w[dsse 0.0.1]
|
|
143
155
|
expected_dsse_0_0_1_tlog_entry
|
|
144
156
|
when %w[intoto 0.0.2]
|
|
145
157
|
expected_intoto_0_0_2_tlog_entry
|
|
146
158
|
else
|
|
147
|
-
raise Error::InvalidRekorEntry, "Unhandled rekor entry kind/version: #{
|
|
159
|
+
raise Error::InvalidRekorEntry, "Unhandled rekor entry kind/version: #{kind_version.inspect}"
|
|
148
160
|
end
|
|
149
161
|
else
|
|
150
162
|
raise Error::InvalidBundle, "expected either message_signature or dsse_envelope"
|
|
@@ -154,6 +166,8 @@ module Sigstore
|
|
|
154
166
|
private
|
|
155
167
|
|
|
156
168
|
def validate_version!
|
|
169
|
+
raise Error::InvalidBundle, "bundle requires verification material" unless verification_material
|
|
170
|
+
|
|
157
171
|
case bundle_type
|
|
158
172
|
when BundleType::BUNDLE_0_1
|
|
159
173
|
unless verification_material.tlog_entries.all?(&:inclusion_promise)
|
|
@@ -169,7 +183,7 @@ module Sigstore
|
|
|
169
183
|
raise Error::InvalidBundle,
|
|
170
184
|
"must contain an inclusion proof"
|
|
171
185
|
end
|
|
172
|
-
unless verification_material.tlog_entries.all? { |t| t.inclusion_proof.checkpoint
|
|
186
|
+
unless verification_material.tlog_entries.all? { |t| t.inclusion_proof.checkpoint&.envelope }
|
|
173
187
|
raise Error::InvalidBundle,
|
|
174
188
|
"inclusion proof must contain a checkpoint"
|
|
175
189
|
end
|
|
@@ -192,9 +206,9 @@ module Sigstore
|
|
|
192
206
|
when :certificate
|
|
193
207
|
@leaf_certificate = Internal::X509::Certificate.read(verification_material.certificate.raw_bytes)
|
|
194
208
|
else
|
|
195
|
-
raise Error::InvalidBundle, "Unsupported bundle content: #{content}"
|
|
209
|
+
raise Error::InvalidBundle, "Unsupported bundle content: #{content.inspect}"
|
|
196
210
|
end
|
|
197
|
-
raise Error::InvalidBundle, "
|
|
211
|
+
raise Error::InvalidBundle, "expected certificate to be leaf" unless @leaf_certificate.leaf?
|
|
198
212
|
end
|
|
199
213
|
|
|
200
214
|
def expected_hashed_rekord_tlog_entry(hashed_input)
|
data/lib/sigstore/policy.rb
CHANGED
|
@@ -51,14 +51,16 @@ module Sigstore
|
|
|
51
51
|
OID = "1.3.6.1.4.1.57264.1.1"
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
-
class
|
|
55
|
-
OID = "1.3.6.1.4.1.57264.1.8"
|
|
56
|
-
|
|
54
|
+
class SingleX509ExtDerEncodedPolicy < SingleX509ExtPolicy
|
|
57
55
|
def ext_value(ext)
|
|
58
56
|
OpenSSL::ASN1.decode(ext.value_der).value
|
|
59
57
|
end
|
|
60
58
|
end
|
|
61
59
|
|
|
60
|
+
class OIDCIssuerV2 < SingleX509ExtDerEncodedPolicy
|
|
61
|
+
OID = "1.3.6.1.4.1.57264.1.8"
|
|
62
|
+
end
|
|
63
|
+
|
|
62
64
|
class AnyOf
|
|
63
65
|
def initialize(*policies)
|
|
64
66
|
@policies = policies
|
data/lib/sigstore/signer.rb
CHANGED
|
@@ -97,9 +97,9 @@ module Sigstore
|
|
|
97
97
|
|
|
98
98
|
{
|
|
99
99
|
credentials: {
|
|
100
|
-
|
|
100
|
+
oidcIdentityToken: @identity_token.raw_token
|
|
101
101
|
},
|
|
102
|
-
|
|
102
|
+
certificateSigningRequest: Internal::Util.base64_encode(csr.to_pem)
|
|
103
103
|
}
|
|
104
104
|
end
|
|
105
105
|
|
data/lib/sigstore/tuf/updater.rb
CHANGED
data/lib/sigstore/tuf.rb
CHANGED
data/lib/sigstore/verifier.rb
CHANGED
|
@@ -118,7 +118,7 @@ module Sigstore
|
|
|
118
118
|
|
|
119
119
|
unless store_ctx.verify
|
|
120
120
|
return VerificationFailure.new(
|
|
121
|
-
"failed to validate
|
|
121
|
+
"failed to validate certificate from fulcio cert chain: #{store_ctx.error_string}"
|
|
122
122
|
)
|
|
123
123
|
end
|
|
124
124
|
|
|
@@ -183,7 +183,12 @@ module Sigstore
|
|
|
183
183
|
|
|
184
184
|
case bundle.dsse_envelope.payloadType
|
|
185
185
|
when "application/vnd.in-toto+json"
|
|
186
|
-
|
|
186
|
+
in_toto = begin
|
|
187
|
+
JSON.parse(bundle.dsse_envelope.payload)
|
|
188
|
+
rescue JSON::ParserError
|
|
189
|
+
raise Error::InvalidBundle, "invalid JSON for in-toto statement in DSSE payload"
|
|
190
|
+
end
|
|
191
|
+
verify_in_toto(input, in_toto)
|
|
187
192
|
else
|
|
188
193
|
raise Sigstore::Error::Unimplemented,
|
|
189
194
|
"unsupported DSSE payload type: #{bundle.dsse_envelope.payloadType.inspect}"
|
|
@@ -432,7 +437,11 @@ module Sigstore
|
|
|
432
437
|
|
|
433
438
|
logger.debug { "Found rekor entry: #{entry}" }
|
|
434
439
|
|
|
435
|
-
actual_body =
|
|
440
|
+
actual_body = begin
|
|
441
|
+
JSON.parse(entry.canonicalized_body)
|
|
442
|
+
rescue JSON::ParserError
|
|
443
|
+
raise Error::InvalidRekorEntry, "invalid JSON in rekor entry canonicalized_body"
|
|
444
|
+
end
|
|
436
445
|
if bundle.dsse_envelope?
|
|
437
446
|
# since the hash is over the uncanonicalized envelope, we need to remove it
|
|
438
447
|
#
|
data/lib/sigstore/version.rb
CHANGED
data/lib/sigstore.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sigstore
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- The Sigstore Authors
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-11-19 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: net-http
|
|
@@ -121,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
122
|
version: '0'
|
|
123
123
|
requirements: []
|
|
124
|
-
rubygems_version: 3.5.
|
|
124
|
+
rubygems_version: 3.5.22
|
|
125
125
|
signing_key:
|
|
126
126
|
specification_version: 4
|
|
127
127
|
summary: A pure-ruby implementation of sigstore signature verification
|