Skip to content

feat(vsa): migrate to single in-toto 0.0.2 entry storage #2933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joejstuart merged 5 commits into from
Sep 11, 2025
Merged

feat(vsa): migrate to single in-toto 0.0.2 entry storage #2933

joejstuart merged 5 commits into from
Sep 11, 2025

Conversation

@joejstuart
Copy link
Contributor

@joejstuart joejstuart commented Sep 10, 2025

  • Replace dual in-toto 0.0.1 + DSSE 0.0.1 entries with single in-toto 0.0.2
  • Return ssldsse.Envelope directly from retrieval instead of JSON
  • Remove VSAWithSignatures and dual-entry pairing logic
  • Eliminate redundant DSSE reconstruction in hot path
  • Update signature verification to use ssldsse.Envelope directly
  • Leverage in-toto 0.0.2 native DSSE envelope support

This migration simplifies VSA storage and retrieval by consolidating to one entry per VSA. Signature verification and payload inspection remain supported via the DSSE envelope embedded in the entry.

Assisted by: claude-4-sonnet

@codecov
Copy link

codecov bot commented Sep 10, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 52.07101% with 81 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/validate/vsa/storage_rekor.go 28.81% 42 Missing ⚠️
internal/validate/vsa/rekor_retriever.go 64.54% 39 Missing ⚠️
Flag Coverage Δ
generative 67.26% <52.07%> (?)
integration 67.26% <52.07%> (-0.02%) ⬇️
unit 67.26% <52.07%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/validate/vsa/retrieval.go 100.00% <ø> (ø)
internal/validate/vsa/rekor_retriever.go 42.89% <64.54%> (-17.41%) ⬇️
internal/validate/vsa/storage_rekor.go 41.29% <28.81%> (+11.62%) ⬆️

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@joejstuart
Copy link
Contributor Author

joejstuart commented Sep 11, 2025

/retest

@joejstuart
feat(vsa): migrate to single in-toto 0.0.2 entry storage
3154516 
- Replace dual in-toto 0.0.1 + DSSE 0.0.1 entries with single in-toto 0.0.2
- Return `ssldsse.Envelope` directly from retrieval instead of JSON
- Remove `VSAWithSignatures` and dual-entry pairing logic
- Eliminate redundant DSSE reconstruction in hot path
- Update signature verification to use `ssldsse.Envelope` directly
- Leverage in-toto 0.0.2 native DSSE envelope support

This migration simplifies VSA storage and retrieval by consolidating
to one entry per VSA. Signature verification and payload inspection
remain supported via the DSSE envelope embedded in the entry.

Assisted by: claude-4-sonnet
@joejstuart joejstuart mentioned this pull request Sep 11, 2025
Draft
dheerajodha
dheerajodha reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

@dheerajodha dheerajodha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overall logic lgtm, added a few comments related to the cleanup.

@dheerajodha
Copy link
Contributor

dheerajodha commented Sep 11, 2025

FTR: I tested the changes from this PR by uploading a new VSA for an image and then fetching the content from Rekor.
Here's what the response looks like:

LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
Attestation: <..super long VSA content...>
Index: 499501692
IntegratedTime: 2025-09-11T11:53:48Z
UUID: 108e9186e8c5677a5ccc521d2d2fd2a00f86e3e84c8a0b754c780c1127bf8b15e9d361670e998db7
Body: {
  "IntotoObj": {
    "content": {
      "envelope": {
        "payloadType": "application/vnd.in-toto+json",
        "signatures": [
          {
            "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMml5aW5kS3RHQlBnVFZHWWVqaEc2cEJoYUlTYgoza0dMdmlkSFVrQ25RMGszUzlBZUpaYkZTL0wrOXM4OEJ6MjVBVnQ5Wk94Znh4d1ZGelV5TGlIaHF3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
            "sig": "TUVVQ0lEc0ZHcTY1eEtTY0tXUnQ4a0R2U1pXQjc2cW1mSDJjTExnZkU3b21sU24rQWlFQTdRSlFsMHQ1RVZHc3B5K3BpWk1SNVhCbnJXU2NMSldESFNncmdTdkMxbkE9"
          }
        ]
      },
      "hash": {
        "algorithm": "sha256",
        "value": "b43ca5a4ecb0a78f836603c6d8b17c7156946c17489085c8e4c87854594c1b6f"
      },
      "payloadHash": {
        "algorithm": "sha256",
        "value": "58cd40552e08c25df23947185123006a524bc8faea9d292ec13f83c21ed4f76e"
      }
    }
  }
}

dheerajodha
dheerajodha reviewed Sep 11, 2025
View reviewed changes
dheerajodha
dheerajodha reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

@dheerajodha dheerajodha left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (except the failing tests)

@joejstuart joejstuart merged commit d065483 into conforma:main Sep 11, 2025
17 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dheerajodha dheerajodha dheerajodha left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joejstuart @dheerajodha