Skip to content

VSA signing#2599

Merged
joejstuart merged 1 commit into
conforma:mainfrom
joejstuart:ec-1308-refactor
Jul 3, 2025
Merged

VSA signing#2599
joejstuart merged 1 commit into
conforma:mainfrom
joejstuart:ec-1308-refactor

Conversation

@joejstuart

Copy link
Copy Markdown
Contributor

Introduce the VSA signing, which signs a Verification Summary Attestation (VSA) JSON file using a cosign-compatible private key. This writes a detached, base64-encoded signature alongside the VSA and returns the absolute path to the signature file. It handles key loading, passphrase support, payload reading, signing, and signature persistence with robust error handling.

https://issues.redhat.com/browse/EC-1308

@simonbaird

Copy link
Copy Markdown
Member

Didn't get to this yet, will aim to have a look tomorrow.

@st3penta st3penta left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The functionality looks good to me, i just left a couple of nitpicks about code style

Comment thread internal/validate/vsa/interfaces.go Outdated
Comment thread internal/validate/vsa/attest.go Outdated
Comment thread internal/validate/vsa/attest.go Outdated
Comment thread internal/validate/vsa/attest.go Outdated
Introduced support for signing Verification Summary Attestations (VSAs)
using a new Signer and Attestor abstraction. The VSA predicate is
generated and written to disk, then signed to produce a DSSE envelope.

Key changes:
- Replaced processVSA and related helpers with explicit use of
  vsa.NewGenerator, vsa.NewWriter, and vsa.NewSigner
- Introduced vsa.NewAttestor to encapsulate VSA signing logic
- Signed DSSE envelope is written per component
- Output path of the envelope is logged for downstream use

These changes lay the foundation for secure VSA publishing by ensuring
attestations are signed at generation time.

Co-authored-by: Claude Sonnet 4

https://issues.redhat.com/browse/EC-1308
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants