Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support predicateType: Field predicateType Renamed to predicate_type in Statement Struct #363

Closed
PuneetPunamiya opened this issue Jun 3, 2024 · 2 comments · May be fixed by #403
Closed

Comments

@PuneetPunamiya
Copy link

PuneetPunamiya commented Jun 3, 2024

We recently upgraded our dependency from github.com/in-toto/in-toto-golang/in_toto to github.com/in-toto/attestation/go/v1 . While migrating, we encountered a breaking change related to the predicateType field in the Statement struct.

In the previous version (github.com/in-toto/in-toto-golang/in_toto), the StatementHeader struct was defined as:

type StatementHeader struct {
	Type          string    `json:"_type"`
	PredicateType string    `json:"predicateType"`
	Subject       []Subject `json:"subject"`
}

In the new version github.com/in-toto/attestation/go/v1, the Statement struct is defined as:

type Statement struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	Type          string                `protobuf:"bytes,1,opt,name=type,json=_type,proto3" json:"type,omitempty"`
	Subject       []*ResourceDescriptor `protobuf:"bytes,2,rep,name=subject,proto3" json:"subject,omitempty"`
	PredicateType string                `protobuf:"bytes,3,opt,name=predicate_type,json=predicateType,proto3" json:"predicate_type,omitempty"`
	Predicate     *structpb.Struct      `protobuf:"bytes,4,opt,name=predicate,proto3" json:"predicate,omitempty"`
}

With this when we try to run the cosign verification command it throws an error as

osign verify-blob-attestation --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets --signature sig --type slsaprovenance --check-claims=false /dev/null   
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob attestation.
Error: invalid predicate type, expected slsaprovenance got 
main.go:74: error during command execution: invalid predicate type, expected slsaprovenance got 

Because the payload has predicate_type instead of predicateType

Reference links for chains update - https://github.com/tektoncd/chains/pull/1111/files#diff-44a01d12a6c7c8d0b69c0e0c1773b23312d82ee4de20166c37f75a66823a026fL3

@PuneetPunamiya PuneetPunamiya changed the title Support for predicateType Support predicateType: Field predicateType Renamed to predicate_type in Statement Struct Jun 3, 2024
@renzodavid9
Copy link

I think I see what's happening:

In the Statement struct:

type Statement struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	Type          string                `protobuf:"bytes,1,opt,name=type,json=_type,proto3" json:"type,omitempty"`
	Subject       []*ResourceDescriptor `protobuf:"bytes,2,rep,name=subject,proto3" json:"subject,omitempty"`
	PredicateType string                `protobuf:"bytes,3,opt,name=predicate_type,json=predicateType,proto3" json:"predicate_type,omitempty"`
	Predicate     *structpb.Struct      `protobuf:"bytes,4,opt,name=predicate,proto3" json:"predicate,omitempty"`
}

We can see the PredicateType has the tag json=predicateType,proto3. To be able to get the value in json with the label predicateType instead of predicate_type we should use protojson.Marshal (from google.golang.org/protobuf/encoding/protojson) instead of json.Marshal in https://github.com/tektoncd/chains/blob/dc4e8acf1421abb2ce2e9fae85394762452b75d9/pkg/chains/signing.go#L147-L176 so this is something that can be solve from Chains, I'm taking a look at it right now

@marcelamelara
Copy link
Contributor

@PuneetPunamiya thanks for reporting. Yes, the in-toto-golang data structures are not compatible with the protobuf-generated ones. Thanks for transitioning to the Go bindings in this repo as we are in the process of deprecating the APIs in in-toto-golang.

I'm closing this issue since I see there's a closed PR related to this. Please let me know if this needs to be reopened.

gillisandrew added a commit to gillisandrew/sigstore-go that referenced this issue Oct 31, 2024
gillisandrew added a commit to gillisandrew/sigstore-go that referenced this issue Oct 31, 2024
gillisandrew added a commit to gillisandrew/sigstore-go that referenced this issue Oct 31, 2024
gillisandrew added a commit to gillisandrew/sigstore-go that referenced this issue Oct 31, 2024
gillisandrew added a commit to gillisandrew/sigstore-go that referenced this issue Oct 31, 2024
gillisandrew added a commit to gillisandrew/in-toto-attestation that referenced this issue Nov 1, 2024
codysoyland pushed a commit to sigstore/sigstore-go that referenced this issue Dec 20, 2024
codysoyland added a commit to sigstore/sigstore-go that referenced this issue Dec 20, 2024
* Fix intoto statement marshal/unmarshal (see in-toto/attestation#363)

Signed-off-by: Andrew Gillis <[email protected]>

* Apply modified tests from be320de

Co-authored-by: Andrew Gillis <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>

* Simplify custom Marshal, remove Unmarshal

Signed-off-by: Cody Soyland <[email protected]>

* Add custom UnmarshalJSON to VerificationResult

Signed-off-by: Cody Soyland <[email protected]>

---------

Signed-off-by: Andrew Gillis <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>
Co-authored-by: Andrew Gillis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants