Provide a way to skip VSA signing/wrapping when creating VSAs #3020
+239
−28
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces the ability to upload raw VSA attestations without DSSE envelope signing for cases where signature verification is not required. Changes: - Add --disable-vsa-signing flag to ec validate image command - Modify VSA service to conditionally skip DSSE envelope creation - Update upload logic to handle both signed envelopes and raw predicates - Add validation to ensure proper flag combinations - Enhance logging to distinguish between signed and unsigned modes When --disable-vsa-signing is set, the VSA predicate is uploaded directly without wrapping it in a signed DSSE envelope, while maintaining full backwards compatibility with existing signed VSA workflows. Co-Authored-By: Claude <[email protected]> Ref: https://issues.redhat.com/browse/EC-1546
Enhances VSA validation to handle both signed DSSE envelopes and unsigned raw VSA predicates, enabling validation of VSAs created with --disable-vsa-signing. Changes: - Modify file retriever to auto-detect DSSE envelope vs raw predicate formats - Add parseRawPredicate() to wrap raw predicates in minimal DSSE structure - Update error handling and tests to reflect dual format support - Maintain full backward compatibility with existing signed VSA workflows When validating raw VSA predicates, use --ignore-signature-verification to skip signature checks. The file retriever transparently handles format differences, allowing the rest of the validation pipeline to work unchanged. Co-Authored-By: Claude <[email protected]> Ref: https://issues.redhat.com/browse/EC-1546
simonbaird
changed the title
Codecov Report❌ Patch coverage is
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Might squash later
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signing the VSA might be something we don't need. Provide a way to skip the wrapping of the VSA predicate in a signed DSSE envelope. Also requires some related changes when reading the VSA to make sure we can handle the "unwrapped" versions.
This is pure Claude and I didn't actually test it, but will try to use it now and see how it goes.
Ref: https://issues.redhat.com/browse/EC-1546