Skip to content

feat: audit signatures verifies attestations #6153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 14, 2023
Merged

feat: audit signatures verifies attestations #6153

merged 2 commits into from
Feb 14, 2023

Conversation

@feelepxyz
Copy link
Contributor

@feelepxyz feelepxyz commented Feb 9, 2023
edited
Loading

feat: audit signatures verifies attestations

Update audit signatures to also verify Sigstore attestations.

Screenshot 2023-02-09 at 13 16 13

Additional changes:

  • Adding error message to json error output as there are a lot of different failure cases with signature verification that would be hard to debug without this
  • Adding predicateType to json error output for attestations to diffentiate between provenance and publish attestations

References:

@bdehamer bdehamer force-pushed the provenance branch 4 times, most recently from dcb5955 to 9e1d642 Compare February 9, 2023 20:14
@feelepxyz feelepxyz marked this pull request as ready for review February 13, 2023 15:44
@feelepxyz feelepxyz requested a review from a team as a code owner February 13, 2023 15:44
@feelepxyz feelepxyz requested review from wraithgar and removed request for a team February 13, 2023 15:44
@wraithgar wraithgar force-pushed the provenance branch 5 times, most recently from 43dd4d8 to cc61923 Compare February 13, 2023 19:06
@feelepxyz feelepxyz changed the base branch from provenance to latest February 14, 2023 11:48
@feelepxyz
deps: [email protected]
935e003 
Signed-off-by: Philip Harrison <[email protected]>
@feelepxyz
feat: audit signatures verifies attestations
e081d67 
Update `audit signatures` to also verify Sigstore attestations.

Additional changes:
- Adding error message to json error output as there are a lot of different failure cases with signature verification that would be hard to debug without this
- Adding predicateType to json error output for attestations to diffentiate between provenance and publish attestations

References:
- Pacote changes: npm/pacote#259
- RFC: npm/rfcs#626

Signed-off-by: Philip Harrison <[email protected]>
feelepxyz
feelepxyz commented Feb 14, 2023
View reviewed changes
@wraithgar wraithgar merged commit 79bfd03 into npm:latest Feb 14, 2023
@github-actions github-actions bot mentioned this pull request Feb 14, 2023
Merged
@feelepxyz
Copy link
Contributor Author

🥳

@npm-cli-bot npm-cli-bot mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@feelepxyz @wraithgar