Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Send rekor tlog index to webapp when publishing results #1169

Merged
merged 5 commits into from
Jul 7, 2023
Merged

✨ Send rekor tlog index to webapp when publishing results #1169

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cf2bb13
wip
spencerschrock May 23, 2023
f164fdf
Include rekor tlog index in POST to scorecard API.
spencerschrock May 24, 2023
0cb2933
Merge branch 'main' into feat/publish-tlog-index
spencerschrock Jun 12, 2023
7a2d1fd
Add tests for extractTlogIndex
spencerschrock Jun 12, 2023
b821845
Merge branch 'main' into feat/publish-tlog-index
spencerschrock Jul 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Include rekor tlog index in POST to scorecard API. 
Signed-off-by: Spencer Schrock <sschrock@google.com>
  • Loading branch information
@spencerschrock
spencerschrock committed May 24, 2023
commit f164fdff28beb0e516ce98e5c65f6efef461637b
30 changes: 21 additions & 9 deletions signing/signing.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
//
// SPDX-License-Identifier: Apache-2.0

// Package signing provides functionality to sign and upload results to the Scorecard API.
package signing

import (
Expand Down Expand Up @@ -44,7 +45,8 @@ var (

// Signing is a signing structure.
type Signing struct {
token string
token string
rekorTlogIndex int64
}

// New creates a new Signing instance.
Expand Down Expand Up @@ -96,16 +98,11 @@ func (s *Signing) SignScorecardResult(scorecardResultsFile string) error {
return fmt.Errorf("error signing payload: %w", err)
}

contents, err := os.ReadFile(bundlePath)
rekorTlogIndex, err := extractTlogIndex(bundlePath)
if err != nil {
return fmt.Errorf("reading cosign bundle file: %w", err)
}

var payload cosign.LocalSignedPayload
err = json.Unmarshal(contents, &payload)
if err != nil {
return fmt.Errorf("invalid cosign bundle file: %w", err)
return err
}
s.rekorTlogIndex = rekorTlogIndex

return nil
}
Expand Down Expand Up @@ -143,10 +140,12 @@ func (s *Signing) ProcessSignature(jsonPayload []byte, repoName, repoRef string)
Result string `json:"result"`
Branch string `json:"branch"`
AccessToken string `json:"accessToken"`
TlogIndex int64 `json:"tlogIndex"`
raghavkaul marked this conversation as resolved.
Show resolved Hide resolved
}{
Result: string(jsonPayload),
Branch: repoRef,
AccessToken: s.token,
TlogIndex: s.rekorTlogIndex,
}

payloadBytes, err := json.Marshal(resultsPayload)
Expand Down Expand Up @@ -190,3 +189,16 @@ func (s *Signing) ProcessSignature(jsonPayload []byte, repoName, repoRef string)

return nil
}

func extractTlogIndex(bundlePath string) (int64, error) {
contents, err := os.ReadFile(bundlePath)
if err != nil {
return 0, fmt.Errorf("reading cosign bundle file: %w", err)
}
var payload cosign.LocalSignedPayload
err = json.Unmarshal(contents, &payload)
if err != nil || payload.Bundle == nil {
return 0, fmt.Errorf("invalid cosign bundle file: %w", err)
}
return payload.Bundle.Payload.LogIndex, nil
}