fix: Switch to newer DSSE rekor type

Hayden-IO · Hayden-IO · commit bdeea0034efc · 2024-02-29T22:58:45.000Z
The intoto v001 type does not persist signatures of the DSSE envelope, as noted in sigstore/rekor#973. We introduced an intoto v002 type shortly after to fix this, but since then, we've introduced another newer type, DSSE v001, which also does not persist the attestation in Rekor (as we discourage using Rekor as storage). I also updated the verifier in slsa-framework/slsa-verifier#742 to search for both Rekor entry types. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
diff --git a/signing/sigstore/rekor.go b/signing/sigstore/rekor.go
@@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo
 		return nil, fmt.Errorf("creating rekor client: %w", err)
 	}
 	// TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM?
-	logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
+	logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
 	if err != nil {
 		return nil, fmt.Errorf("uploading attestation: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo`
`80`	`80`	`return nil, fmt.Errorf("creating rekor client: %w", err)`
`81`	`81`	`}`
`82`	`82`	`// TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM?`
`83`		`- logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))`
	`83`	`+ logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))`
`84`	`84`	`if err != nil {`
`85`	`85`	`return nil, fmt.Errorf("uploading attestation: %w", err)`
`86`	`86`	`}`