Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add public key hash check in Signed Note verification #2214

Merged
merged 3 commits into from
Aug 27, 2024
Merged

Add public key hash check in Signed Note verification #2214

merged 3 commits into from
Aug 27, 2024

Conversation

hojoungjang
Copy link
Contributor

Summary

This PR adds a public key hash check in SignedNote.Verify method.
The hash stored in note.Signature is compared against the verifier's public key hash. If the hash mismatches, the verification fails.

Release Note

  • SignedNote.Sign is updated to use GetPublicKeyHash function.
  • GetPublicKeyHash is added to calculate sha256 hash of the input public key (copied the existing logic in SignedNote.Sign method)
  • SignedNote.Verify is updated to compare hash stored in note.Signature is and the verifier's public key hash.

Documentation

@hojoungjang hojoungjang requested a review from a team as a code owner August 21, 2024 04:50
@hojoungjang hojoungjang changed the title Hojoungjang/issue 389 Add public key hash check in Signed Note verification Aug 21, 2024
@hojoungjang
Update Verify method to perform PK hash check
dc6d464 
Signed-off-by: Jang <[email protected]>
@hojoungjang
Update unit test file
97d9e08 
Update existing tests and ensure they work as expected and add a unit test case
to check for public key mismatch.

Signed-off-by: Jang <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Aug 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 58.82353% with 7 lines in your changes missing coverage. Please review.

Project coverage is 51.44%. Comparing base (488eb97) to head (5261d5f).
Report is 188 commits behind head on main.

Files Patch % Lines
pkg/util/signed_note.go 58.82% 4 Missing and 3 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2214       +/-   ##
===========================================
- Coverage   66.46%   51.44%   -15.02%     
===========================================
  Files          92      189       +97     
  Lines        9258    19478    +10220     
===========================================
+ Hits         6153    10021     +3868     
- Misses       2359     8378     +6019     
- Partials      746     1079      +333
Flag Coverage Δ
e2etests 50.24% <52.94%> (+2.68%) ⬆️
unittests 43.02% <58.82%> (-4.66%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hojoungjang
Copy link
Contributor Author

@haydentherapper Thanks! I have addressed your comment.

haydentherapper
haydentherapper approved these changes Aug 26, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@hojoungjang
Copy link
Contributor Author

Thanks for the review. I will leave this as it is for now since I don't have the permission to merge. Please let me know if there is anything I can do.

@haydentherapper haydentherapper merged commit ab3e6b4 into sigstore:main Aug 27, 2024
15 checks passed
@github-actions github-actions bot added this to the v1.2.2 milestone Aug 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.2.2
Development

Successfully merging this pull request may close these issues.

Signed Note verification question
2 participants
@hojoungjang @haydentherapper