Add gitsign show subcommand.

[wlynch]

Summary

Adds a new subcommand that outputs an in-toto Statement containing the source provenance of the given commit. This works for both Gitsign + GPG signed git commits - it extracts the cert information if present.

This can be coupled with other tools like cosign to produce attestations, i.e.:

$ cosign attest --predicate <(gitsign show) <image>

Also moves io Stream creation into the root RunE func so that streams aren't created for subcommands that don't need them.

Possibly fixes #105 (@Dentrax @developer-guy let me know what you think!)

cc @adityasaky (you may be interested in this)

Signed-off-by: Billy Lynch [email protected]

Release Note

• 🎁 Adds new gitsign show subcommand to print out an in-toto Statement for a given Git commit.

Documentation

I plan on generating cobra docs in another PR!

[nsmith5]

Might have just missed this on my reading, but can we add the same verification logic from gitsign --verify as well when we parse the signature to check its authentic?

[wlynch]

Might have just missed this on my reading, but can we add the same verification logic from gitsign --verify as well when we parse the signature to check its authentic?

I'm not against it, but the nice thing about just formatting without verification is that this works for any signature type - GPG, SSH, x509, Gitsign, etc.

If we add verification then we'd probably need to add support for the other key types to stay consistent (which opens a whole can of worms).

[nsmith5]

Ah I see, is there a generic git command someone could run first to do verification prior to this that works for any signature type?

[wlynch]

Ah I see, is there a generic git command someone could run first to do verification prior to this that works for any signature type?

Not really 😬 There's git verify-commit but that just shells out to whatever signing tool is available (so if you have gitsign configured it can only verify gitsign). Git itself assumes that everything in the repo uses the same signing scheme (which is unfortunate since that's not what users do in practice in a shared repo).

What we can do as a happy medium is add a --verify flag, though I'm not sure if we should make this default to true or false. 🤔

[nsmith5]

I'd prefer --verify true as the default. I feel like --verify false default makes it easy to add an attestation without actually checking its authentic. I'd even be in favour of the flag being someing like --insecure-skip-verification to make it clear that you're just passing the signature along without checking. And maybe also state that in the attestation to make it clear that we didn't actually check the signature so like

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "gitsign.sigstore.dev/predicate/git/v0.1",
  "subject": [
    {
      "name": "[email protected]:wlynch/gitsign.git",
      "digest": {
        "sha1": "10a3086104c5331623be85a5e30d709f457b536b"
      }
    }
  ],
  "predicate": {
    "source": {
      "tree": "194fca354a2439028e347ce5e19e4db45bd708a6",
      "parents": [
        "2eaf8fc6d66505baa90640d018e1131cd8e99334"
      ],
      "author": {
        "name": "Billy Lynch",
        "email": "[email protected]",
        "date": "2022-11-14T16:13:19-05:00"
      },
      "committer": {
        "name": "Billy Lynch",
        "email": "[email protected]",
        "date": "2022-11-14T16:13:19-05:00"
      },
      "message": "add sample\n"
    },
+  "signature_verified": false,
    "signature": "-----BEGIN SIGNED MESSAGE-----\nMIIEAwYJKoZIhvcNAQcCoIID9DCCA/ACAQExDTALBglghkgBZQMEAgEwCwYJKoZI\nhvcNAQcBoIICpDCCAqAwggImoAMCAQICFFTzLmXKAlKX5xTUaYoUE5giCxZvMAoG\nCCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln\nc3RvcmUtaW50ZXJtZWRpYXRlMB4XDTIyMTExNDIxMTMyM1oXDTIyMTExNDIxMjMy\nM1owADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH++UCDlF9MaQCSgDKQ0bWhD\neOmTrk1sEHw9Oel1eCyrr3SFhDAghcO3VwO7baYmL16fUwRYwMhj5urowsLVrjKj\nggFFMIIBQTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD\nVR0OBBYEFHMPDOs6IDY/iRnVqacIj/yvJbNpMB8GA1UdIwQYMBaAFN/T6c9WJBGW\n+ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2\nMCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYK\nKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAv\nKe6OAAABhHf9WZAAAAQDAEcwRQIgV8anMDEjbHI/WvGxpJmm44DgBTYf5bkfBJIP\n6FJtqXYCIQD/noLzthDKgjrXoiep/BqqnygoTRM9HKim+DRMbwHteDAKBggqhkjO\nPQQDAwNoADBlAjEAvHvqOAKT34QQx9PSuOswQfquByALdzA1ES0nx4M5i47kqNeE\nBl612/hYTD1ydpLIAjBTWiHDtdxM9rriTIyGGJubC0+vNcccsURDTJ+A3XnMAER3\nikl/cJ2wG9c8ZN7AUS8xggElMIIBIQIBATBPMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlAhRU8y5lygJSl+cU\n1GmKFBOYIgsWbzALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN\nAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjExMTQyMTEzMjNaMC8GCSqGSIb3DQEJBDEi\nBCC9Yk93XCRKy6FPCb8dAqjdWpjb1NIbFtTo9CP6yYOZQjAKBggqhkjOPQQDAgRH\nMEUCIQCq+2Zs0bBcAAciePeeRpzmfVJ2gEu7sGngy+TcYpS0ugIgL9Qix3V8taBV\n+Tb6rMZmt80sfGsYhUqE8KsIF1AEc+8=\n-----END SIGNED MESSAGE-----\n",
    "signer_info": [
      {
        "attributes": "MWkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIxMTE0MjExMzIzWjAvBgkqhkiG9w0BCQQxIgQgvWJPd1wkSsuhTwm/HQKo3VqY29TSGxbU6PQj+smDmUI=",
        "certificate": "-----BEGIN CERTIFICATE-----\nMIICoDCCAiagAwIBAgIUVPMuZcoCUpfnFNRpihQTmCILFm8wCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMTE0MjExMzIzWhcNMjIxMTE0MjEyMzIzWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEf75QIOUX0xpAJKAMpDRtaEN46ZOuTWwQfD05\n6XV4LKuvdIWEMCCFw7dXA7ttpiYvXp9TBFjAyGPm6ujCwtWuMqOCAUUwggFBMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUcw8M\n6zogNj+JGdWppwiP/K8ls2kwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wIgYDVR0RAQH/BBgwFoEUYmlsbHlAY2hhaW5ndWFyZC5kZXYwKQYKKwYBBAGD\nvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQC\nBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGEd/1Z\nkAAABAMARzBFAiBXxqcwMSNscj9a8bGkmabjgOAFNh/luR8Ekg/oUm2pdgIhAP+e\ngvO2EMqCOteiJ6n8GqqfKChNEz0cqKb4NExvAe14MAoGCCqGSM49BAMDA2gAMGUC\nMQC8e+o4ApPfhBDH09K46zBB+q4HIAt3MDURLSfHgzmLjuSo14QGXrXb+FhMPXJ2\nksgCMFNaIcO13Ez2uuJMjIYYm5sLT681xxyxRENMn4DdecwARHeKSX9wnbAb1zxk\n3sBRLw==\n-----END CERTIFICATE-----\n"
      }
    ]
  }
}

My thinking here is that folks need to make policy decisions based on this attestations and might not have access to go pull the source and verify themselves at that point (that is why we're using this attestation in the first place) so we want some clear signals that it was verified by the entity that signed this attestation.

[nsmith5]

If we just fail out on SSH signatures and x509 is ok for now? I feel like if you're reaching for this tool its a corner case because you probably

• Have no sig
• Got signed by github GPG key
• Have a gitsign signature

So we'll be able to handle the common situations

[wlynch]

If we just fail out on SSH signatures and x509 is ok for now? I feel like if you're reaching for this tool its a corner case because you probably

• Have no sig
• Got signed by github GPG key
• Have a gitsign signature

So we'll be able to handle the common situations

We wouldn't be able to verify anything that isn't Gitsign, including GPG / GitHub web-flow signed commits which is why I'm worried. 😬

Unsigned commits is also an interesting case - my gut feeling is that I think it's okay to produce provenance documents that don't have a signature. It's up to the attestor to determine if that's something they are willing to sign off on.

[nsmith5]

We wouldn't be able to verify anything that isn't Gitsign, ....

Ahh dang ok, I understand your hesitation now.

[eddiezane]

Nice job! I have a few things.

[eddiezane]

/lgtm