Skip to content
This repository was archived by the owner on Jun 25, 2024. It is now read-only.

[WIP] Add verify command and enable use with CI/CD#34

Draft
doodzik wants to merge 82 commits into
sigstore:mainfrom
Shopify:main
Draft

[WIP] Add verify command and enable use with CI/CD#34
doodzik wants to merge 82 commits into
sigstore:mainfrom
Shopify:main

Conversation

@doodzik
Copy link
Copy Markdown

@doodzik doodzik commented Oct 29, 2021
edited
Loading

No description provided.

@doodzik doodzik changed the title [WIP] This PR tracks the work on the plugin done at Shopify [WIP] Add verify command Oct 29, 2021
doodzik and others added 21 commits October 28, 2021 22:15
@doodzik
sign gem
9a09388
@doodzik
Merge pull request #2 from Shopify/use_rubygems_style_guide
cf7fba9 
Use rubygems style guide
@rochlefebvre @doodzik
Restore default SSL peer verification for connections to fulcio (#4)
8a7d2ad 
Co-authored-by: Frederik Dudzik <5946811+doodzik@users.noreply.github.com>
@doodzik
push cert chain to rekord
6bb57af
@doodzik
Merge pull request #8 from Shopify/sign_gem
25a4ec2 
Sign gem
@rochlefebvre
super terrible gem verify implementation
b8f637a
@doodzik
Merge pull request #11 from Shopify/gem-install--verify
13afc81 
super terrible `gem verify` implementation
@doodzik
add gemfile class
3613202
@doodzik
add namespaces
286d05f
@doodzik
move fulcio api calls out of http client
0e0f307
@doodzik
move rekor api out of http
5e945af
@doodzik
add gem signer and verifier classes
195bd1b
@rochlefebvre
misc fixes
ac7728f
@rochlefebvre
various fixes to get sign & verify working
f20d826
@doodzik
Merge pull request #9 from Shopify/refactor
3994ba0 
Some refactors
@rochlefebvre
exclude byebug_history from git
193ed4b
@rochlefebvre
Retrieve root certificate using signing certificate's AIA extension (#18
a37e8f1 
)

* define CertChain and CertExtensions

* Extract cert code from RekordEntry

* remove method_missing stuff from CertExtensions

* move issuing certificate retrieval into CertExtensions

* move subject_alt_name into CertExtensions
@rochlefebvre
print all unique emails from valid signature entries
714cda5
@rochlefebvre
Merge pull request #20 from Shopify/list_all_signer_emails
ce9d0bc 
Print all unique emails from valid signature entries
@rochlefebvre
Clean up some of the printed messages
83428c0
@rochlefebvre
Merge pull request #22 from Shopify/improve-output-messaging
7467a4f 
Clean up some of the printed messages
@doodzik doodzik changed the title [WIP] Add verify command [WIP] Add verify command and enable use with CI/CD Nov 18, 2021
@doodzik
Copy link
Copy Markdown
Author

doodzik commented Dec 9, 2021
edited
Loading

Will do 👍
There are still some things we want to get done before opening it up for review.

rochlefebvre and others added 28 commits December 15, 2021 10:57
@rochlefebvre
Support empty responses in Rekor::Api#where
d5ba747
@doodzik
add decision log
770c03a
@doodzik
Merge pull request #48 from Shopify/create_decision_log
d20d841 
add decision log
@rochlefebvre
Merge pull request #45 from Shopify/fix-verify-unsigned-gem
96c1553 
Fix NoMethodError for `gem verify` on an unsigned gem
@rochlefebvre
Combine sign and verify into a new signature command
7c00ea3
@rochlefebvre
Merge pull request #51 from Shopify/add-signatures-command
c5869f7 
Add a `gem signatures` command
@doodzik @rochlefebvre
add verify to install command
f9684af 
add siging_policy
@rochlefebvre
Merge pull request #50 from Shopify/bundler_verify_command
1ea850b 
make verify command work in bundler
@rochlefebvre
Delete gem sign and gem verify
e09fa5a
@rochlefebvre
Rename install command's --verify option to --verify-signatures
0508d64
@aellispierce
Merge pull request #53 from Shopify/clean-up-commands
858e7d7 
Delete the `gem sign` and `gem verify` commands
@aellispierce
Merge pull request #54 from Shopify/rename-verify-option-to-verify-si…
c2eee4c 
…gnatures

Rename `install` command's --verify option to --verify-signatures
@jchestershopify
Merge pull request #55 from Shopify/clean-up-commands
3983a41 
Rename install command's --verify option to --verify-signatures
@rochlefebvre @aellispierce
Update the README
393af47
@aellispierce
Merge pull request #44 from Shopify/update-readme
2ede6a0 
Update the README
@aellispierce @jchestershopify
Validate file is a gem on signatures command
e2eeeac 
Co-authored-by: Jacques Chester <jacques.chester@shopify.com>
@aellispierce @jchestershopify
Remove unreachable raise
37460c4 
When these pre-install hooks are called, Rubygems has already validated
that the given package is a valid gem, both locally and remotely. If the
file does not exist or is not a valid gemfile, no package exists on the
installer at line 32. Plus, Rubygems raises an error.

Co-authored-by: Jacques Chester <jacques.chester@shopify.com>
@aellispierce
Fix Ruby 3.1 net/smtp bug
86a64be 
Ruby 3.1 adds net/smtp to default standard library gems. Since we don't
have a mailer in this project we need to explicitly not include it.

Ref:
https://stackoverflow.com/questions/70500220/rails-7-ruby-3-1-loaderror-cannot-load-such-file-net-smtp
@aellispierce
Add quotes around ruby version numbers
489a1a4 
If numbers are not quoted, the YAML parser will treat 3.0 as '3' and so
the latest version minor version of 3, 3.1 will run instead of sticking
with the 3.0.x patch version.

Also adds quotes around the other ruby versions for consistency
@aellispierce
Test 3.1
3274d9b
@aellispierce
Merge pull request #56 from Shopify/validate_file_gemminess
d157c51 
Validate file is a gem on signature command
@rochlefebvre
Fix reference to undefined variable
6c65818
@rochlefebvre
Check responses from Fulcio/Rekor POSTs, raise unless expected
4bc8603
@rochlefebvre
Merge pull request #62 from Shopify/raise-on-unexpected-fulcio-rekor-…
b8621f0 
…responses

Check responses from Fulcio/Rekor POSTs, raise unless expected
@rochlefebvre
extract Signature module from Rekord
a9a6f90
@rochlefebvre
store signatures in hashedrekord
14c84d9
@rochlefebvre
support verification of hashedrekord signatures
19c0606
@rochlefebvre
Merge pull request #63 from Shopify/use-hashedrekord
1fd5157 
Store gem signatures in a hashedrekord
@lukehinds
Copy link
Copy Markdown
Member

lukehinds commented Feb 9, 2024

I guess this is dead now, any more interest in the work @doodzik ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@doodzik @lukehinds @rochlefebvre @aellispierce @jchestershopify