Add examples for each of the cosign verification mechanisms #117
Labels
Comments
lkatalin
added
enhancement
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.
The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txt
The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):
{
"base64Signature": "...",
"cert": "...",
"rekorBundle": {
"SignedEntryTimestamp": "...",
"Payload": {
"body": "...",
"integratedTime": 1669361833,
"logIndex": 7810348,
"logID": "..."
}
}
}
Currently, to create Bundle (which is called RekorBundle in this commit)
from this one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).
With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.
Refs: sigstore#117
Signed-off-by: Daniel Bevenius <[email protected]>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.
The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txt
The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):
{
"base64Signature": "...",
"cert": "...",
"rekorBundle": {
"SignedEntryTimestamp": "...",
"Payload": {
"body": "...",
"integratedTime": 1669361833,
"logIndex": 7810348,
"logID": "..."
}
}
}
Currently, to create Bundle (which is called RekorBundle in this commit)
from this, one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).
With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.
Refs: sigstore#117
Signed-off-by: Daniel Bevenius <[email protected]>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Nov 25, 2022
This commit renames the Bundle struct to RekorBundle and modifies the
existing Bundle struct to contain the rekor_bundle, in addition to a
base64_signature, and cert field.
The motivation for change comes from trying to implement an example
that verifies a blob using a bundle.
For example, first a blob is signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txt
The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):
{
"base64Signature": "...",
"cert": "...",
"rekorBundle": {
"SignedEntryTimestamp": "...",
"Payload": {
"body": "...",
"integratedTime": 1669361833,
"logIndex": 7810348,
"logID": "..."
}
}
}
Currently, to create Bundle (which is called RekorBundle in this commit)
from this, one would have to parse the string as json, and then access
the `rekorBundle` element, and then serialize it so that it can be
passed to `Bundle::new_verified` (again RekorBundle in this commit).
With the changes in this commit it will be possible to call
`Bundle::new_verified` and pass in the contents for the bundle file
directly.
Refs: sigstore#117
Signed-off-by: Daniel Bevenius <[email protected]>
danbev
added a commit
to danbev/sigstore-rs
that referenced
this issue
Dec 8, 2022
This commit adds a new struct named SignedArtifactBundle which
represents a signed artifact bundle as produced when signing with cosign
and specifying the --bundle option.
The motivation for change comes from trying to implement an example
that verifies a blob using a bundle. For example, first a blob is
signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txt
The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):
{
"base64Signature": "...",
"cert": "...",
"rekorBundle": {
"SignedEntryTimestamp": "...",
"Payload": {
"body": "...",
"integratedTime": 1669361833,
"logIndex": 7810348,
"logID": "..."
}
}
}
Currently, to create Bundle from this, one would have to parse the
string as json, and then access the `rekorBundle` element, and then
serialize it so that it can be passed to `Bundle::new_verified`.
With the changes in this commit it will be possible to call
`SignedArtifactBundle::new_verified` and pass in the contents for the
bundle file directly.
Refs: sigstore#117
Signed-off-by: Daniel Bevenius <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The README specifies that we can:
However, the current documented example is for verifying using a given key only. We should add two more examples.
The text was updated successfully, but these errors were encountered: