Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: audit signatures verifies attestations #6153

Merged
merged 2 commits into from Feb 14, 2023
Merged

feat: audit signatures verifies attestations #6153

merged 2 commits into from Feb 14, 2023

Conversation

feelepxyz
Copy link
Member

@feelepxyz feelepxyz commented Feb 9, 2023
edited

feat: audit signatures verifies attestations

Update audit signatures to also verify Sigstore attestations.

Screenshot 2023-02-09 at 13 16 13

Additional changes:

  • Adding error message to json error output as there are a lot of different failure cases with signature verification that would be hard to debug without this
  • Adding predicateType to json error output for attestations to diffentiate between provenance and publish attestations

References:

@bdehamer bdehamer force-pushed the provenance branch 4 times, most recently from dcb5955 to 9e1d642 Compare February 9, 2023 20:14
@feelepxyz feelepxyz marked this pull request as ready for review February 13, 2023 15:44
@feelepxyz feelepxyz requested a review from a team as a code owner February 13, 2023 15:44
@feelepxyz feelepxyz requested review from wraithgar and removed request for a team February 13, 2023 15:44
@wraithgar wraithgar force-pushed the provenance branch 5 times, most recently from 43dd4d8 to cc61923 Compare February 13, 2023 19:06
@feelepxyz feelepxyz changed the base branch from provenance to latest February 14, 2023 11:48
@feelepxyz
deps: pacote@15.1.0
935e003 
Signed-off-by: Philip Harrison <philip@mailharrison.com>
@feelepxyz
feat: audit signatures verifies attestations
e081d67 
Update `audit signatures` to also verify Sigstore attestations.

Additional changes:
- Adding error message to json error output as there are a lot of different failure cases with signature verification that would be hard to debug without this
- Adding predicateType to json error output for attestations to diffentiate between provenance and publish attestations

References:
- Pacote changes: npm/pacote#259
- RFC: npm/rfcs#626

Signed-off-by: Philip Harrison <philip@mailharrison.com>
@wraithgar wraithgar merged commit 79bfd03 into npm:latest Feb 14, 2023
@github-actions github-actions bot mentioned this pull request Feb 14, 2023
Merged
@feelepxyz
Copy link
Member Author

🥳

@npm-cli-bot npm-cli-bot mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@feelepxyz @wraithgar