Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-06-20 12:14:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

Improve measurements verification with Rekor (#206)

Browse source 
Fetched measurements are now verified using Rekor in addition to a signature check.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
This commit is contained in:
Fabian Kammel 2022-10-11 13:57:52 +02:00 committed by GitHub
parent 1c29638421
commit 57b8efd1ec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 1320 additions and 322 deletions
Download patch file Download diff file Expand all files Collapse all files

17
cli/internal/cmd/configfetchmeasurements.go
View file

@ -16,6 +16,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/sigstore"
"github.com/spf13/afero"
"github.com/spf13/cobra"
)
@ -42,10 +43,14 @@ type fetchMeasurementsFlags struct {
func runConfigFetchMeasurements(cmd *cobra.Command, args []string) error {
fileHandler := file.NewHandler(afero.NewOsFs())
return configFetchMeasurements(cmd, fileHandler, http.DefaultClient)
rekor, err := sigstore.NewRekor()
if err != nil {
return fmt.Errorf("constructing Rekor client: %w", err)
}
return configFetchMeasurements(cmd, rekor, fileHandler, http.DefaultClient)
}
func configFetchMeasurements(cmd *cobra.Command, fileHandler file.Handler, client *http.Client) error {
func configFetchMeasurements(cmd *cobra.Command, verifier rekorVerifier, fileHandler file.Handler, client *http.Client) error {
flags, err := parseFetchMeasurementsFlags(cmd)
if err != nil {
return err
@ -67,10 +72,16 @@ func configFetchMeasurements(cmd *cobra.Command, fileHandler file.Handler, clien
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
defer cancel()
var fetchedMeasurements config.Measurements
if err := fetchedMeasurements.FetchAndVerify(ctx, client, flags.measurementsURL, flags.signatureURL, []byte(constants.CosignPublicKey)); err != nil {
hash, err := fetchedMeasurements.FetchAndVerify(ctx, client, flags.measurementsURL, flags.signatureURL, []byte(constants.CosignPublicKey))
if err != nil {
return err
}
if err := verifyWithRekor(cmd.Context(), verifier, hash); err != nil {
cmd.Printf("Ignoring Rekor related error: %v\n", err)
cmd.Println("Make sure the downloaded measurements are trustworthy!")
}
conf.UpdateMeasurements(fetchedMeasurements)
if err := fileHandler.WriteYAML(flags.config, conf, file.OptOverwrite); err != nil {
return err