Update to hashed payloads (#4)

* Update to hashed payloads

Signed-off-by: steve lasker <[email protected]>

* Update readme

* debugging

* var references

* Fix IF

* v0.6.0

---------

Signed-off-by: steve lasker <[email protected]>

README.md

@@ -60,7 +60,7 @@ The following example shows a minimal implementation.
 Three GitHub Action Secrets are used:
 
 - `secrets.DATATRAILS_CLIENT_ID`
-- `secrets.DATATRAILS_SECRET`
+- `secrets.DATATRAILS_CLIENT_SECRET`
 - `secrets.SIGNING_KEY`
 
 Sample github `action.yaml`
@@ -69,13 +69,14 @@ Sample github `action.yaml`
 name: Register SCITT Statement
 
 on:
-  push:
-    branches: [ "main" ]
+  workflow_dispatch:
+  # push:
+    # branches: [ "main" ]
 
 env:
   DATATRAILS_CLIENT_ID: ${{ secrets.DATATRAILS_CLIENT_ID }}
-  DATATRAILS_SECRET: ${{ secrets.DATATRAILS_SECRET }}
-  SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+  DATATRAILS_CLIENT_SECRET: ${{ secrets.DATATRAILS_CLIENT_SECRET }}
+  SIGNING_KEY: ${{ secrets.SYNSATION_SIGNING_KEY }}
   SUBJECT: "synsation.io/myproduct-v1.0"
   ISSUER: "synsation.io"
 jobs:
@@ -99,18 +100,28 @@ jobs:
         # A sample compliance file. Replace with an SBOM, in-toto statement, image for content authenticity, ...
         run: |
           echo '{"compliance.42":"true","software.eol":"2025-03-15"}' >> ./buildOutput/attestation.json
+      - name: Upload Attestation
+        id: upload-attestation
+        uses: actions/upload-artifact@v4
+        with:
+          name: attestation.json
+          path: ./buildOutput/attestation.json
       - name: Register as a SCITT Signed Statement
         # Register the Signed Statement wit DataTrails SCITT APIs
         id: register-compliance-scitt-signed-statement
-        uses: datatrails/scitt-action@v0.5
+        uses: datatrails/scitt-action@v0.6.0
         with:
-          datatrails-client_id: ${{ env.DATATRAILS_CLIENT_ID }}
-          datatrails-secret: ${{ env.DATATRAILS_SECRET }}
-          subject: ${{ env.SUBJECT }}
-          payload: "./buildOutput/attestation.json"
           content-type: "application/vnd.unknown.attestation+json"
-          signing-key-file: "./signingkey.pem"
+          payload-file: "./buildOutput/attestation.json"
+          payload-location: ${{ steps.upload-attestation.outputs.artifact-url }}
+          subject: ${{ env.SUBJECT }}
           issuer: ${{ env.ISSUER}}
+          signing-key-file: "./signingkey.pem"
+      - name: upload-transparent-statement
+        uses: actions/upload-artifact@v4
+        with:
+          name: transparent-statement
+          path: transparent-statement.cbor
       - name: cleanup-keys
         shell: bash
         run: |
@@ -123,10 +134,11 @@ To test incremental changes to this github action:
 
 1. Fork https://github.com/datatrails/scitt-action/ into an org you own
 1. Make the changes to your fork of the scitt-action
-1. For the repo you wish to include this action: 
-   - Change the `uses` to reference a branch and commit on your org/repo:
+1. For the repo you wish to include this action:
+   - Change the `uses` to reference a branch or commit on your org/repo:
 
     ```yaml
             uses: <your-org>/scitt-action@<full-commit>
+            uses: synsation-corp/scitt-action@featurebranch
             uses: synsation-corp/scitt-action@5b861ed4722787835cdd5e9d86efc698974f1131
     ```

action.yml

@@ -4,54 +4,34 @@ inputs:
   content-type:
     description: 'The payload content type (iana mediaType) to be registered on the SCITT Service (eg: application/spdx+json, application/vnd.cyclonedx+json, Scan Result, Attestation)'
     required: true
-  datatrails-client_id:
-    description: 'The CLIENT_ID used to access the DataTrails SCITT APIs'
-    required: true
-  datatrails-secret:
-    description: 'The SECRET used to access the DataTrails SCITT APIs'
-    required: true
-  issuer:
-    description: 'The name of the issuer, set to CTW_Claims:iss'
-    required: true
   payload-file:
     description: 'The payload file to be registered on the SCITT Service (eg: SBOM, Scan Result, Attestation)'
     required: true
   payload-location:
     description: 'Optional location the content of the payload may be stored.'
     required: false
-  receipt-file:
-    description: 'The filename to save the cbor receipt'
-    required: false
-    default: 'receipt.cbor'
-  signed-statement-file:
-    description: 'File representing the signed SCITT Statement that will be registered on SCITT.'
+  subject:
+    description: 'Unique ID for the collection of statements about an artifact'
+    required: true
+  transparent-statement-file:
+    description: 'The filename to save the cbor transparent statement, which includes the signed-statement and the receipt'
     required: false
-    default: 'signed-statement.cbor'
+    default: 'transparent-statement.cbor'
+  issuer:
+    description: 'The name of the issuer, set to CTW_Claims:iss'
+    required: true
   signing-key-file:
     description: 'The .pem file used to sign the statement'
     required: true
-  skip-receipt:
-    description: 'To skip receipt retrieval, set to 1'
-    required: false
-    default: '0'
-  subject:
-    description: 'Unique ID for the collection of statements about an artifact'
-    required: true
-outputs:
-  token: # id of output
-    description: 'the token used to authenticate'
+
 runs:
   using: 'docker'
   image: 'Dockerfile'
   args:
     - ${{ inputs.content-type }}
-    - ${{ inputs.datatrails-client_id }}
-    - ${{ inputs.datatrails-secret }}
-    - ${{ inputs.issuer }}
     - ${{ inputs.payload-file }}
     - ${{ inputs.payload-location}}
-    - ${{ inputs.receipt-file }}
-    - ${{ inputs.signed-statement-file }}
-    - ${{ inputs.signing-key-file }}
-    - ${{ inputs.skip-receipt }}
     - ${{ inputs.subject }}
+    - ${{ inputs.transparent-statement-file }}
+    - ${{ inputs.issuer }}
+    - ${{ inputs.signing-key-file }}

scitt-scripts/create-token.sh

@@ -1,24 +1,23 @@
 #!/bin/bash -l
 
-# echo "datatrails-client_id: " ${1}
-# echo "datatrails-secret:    " ${2}
-# echo "token-file:           " ${3}
+set -e
 
-if [ -z "$3" ]; then
+# echo "token-file:           " ${1}
+
+if [ -z "$1" ]; then
   TOKEN_FILE=$HOME/.datatrails/bearer-token.txt
   mkdir -p $HOME/.datatrails
   chmod 0700 $HOME/.datatrails
 else
-  TOKEN_FILE=${3}
+  TOKEN_FILE=${1}
 fi
 
 RESPONSE=$(curl -s -S https://app.datatrails.ai/archivist/iam/v1/appidp/token \
             --data-urlencode "grant_type=client_credentials" \
-            --data-urlencode "client_id=${1}" \
-            --data-urlencode "client_secret=${2}")
+            --data-urlencode "client_id=$DATATRAILS_CLIENT_ID" \
+            --data-urlencode "client_secret=$DATATRAILS_CLIENT_SECRET")
 
 if [[ $RESPONSE == *"access_token"* ]]; then
-  #rm $TOKEN_FILE
 
   TOKEN=$(echo -n $RESPONSE | jq -r .access_token)
   echo "PWD: $PWD"

scitt-scripts/create_hashed_signed_statement.py

@@ -18,7 +18,6 @@
 
 from ecdsa import SigningKey, VerifyingKey
 
-
 # CWT header label comes from version 4 of the scitt architecture document
 # https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-04.html#name-issuer-identity
 HEADER_LABEL_CWT = 13
@@ -33,7 +32,6 @@
 HEADER_LABEL_CWT_CNF = 8
 HEADER_LABEL_CNF_COSE_KEY = 1
 
-
 # Signed Hash envelope header labels from:
 # https://github.com/OR13/draft-steele-cose-hash-envelope/blob/main/draft-steele-cose-hash-envelope.md
 # pre-adoption/private use parameters
@@ -154,49 +152,49 @@ def main():
         default="application/json",
     )
 
-    # issuer
+    # payload-file (a reference to the file that will become the payload of the SCITT Statement)
     parser.add_argument(
-        "--issuer",
+        "--payload-file",
         type=str,
-        help="issuer who owns the signing key.",
+        help="filepath to the content that will be hashed into the payload of the SCITT Statement.",
+        default="scitt-payload.json",
     )
 
-    # output file
+    # payload-location
     parser.add_argument(
-        "--output-file",
+        "--payload-location",
         type=str,
-        help="name of the output file to store the signed statement.",
-        default="signed-statement.cbor",
+        help="location hint for the original statement that was hashed.",
     )
 
-    # payload-file (a reference to the file that will become the payload of the SCITT Statement)
+    # subject
     parser.add_argument(
-        "--payload-file",
+        "--subject",
         type=str,
-        help="filepath to the content that will be hashed into the payload of the SCITT Statement.",
-        default="scitt-payload.json",
+        help="subject to correlate statements made about an artifact.",
     )
 
-    # payload-location
+    # output file
     parser.add_argument(
-        "--payload-location",
+        "--output-file",
         type=str,
-        help="location hint for the original statement that was hashed.",
+        help="name of the output file to store the signed statement.",
+        default="signed-statement.cbor",
     )
 
-    # signing key file
+    # issuer
     parser.add_argument(
-        "--signing-key-file",
+        "--issuer",
         type=str,
-        help="filepath to the stored ecdsa P-256 signing key, in pem format.",
-        default="scitt-signing-key.pem",
+        help="issuer who owns the signing key.",
     )
 
-    # subject
+    # signing key file
     parser.add_argument(
-        "--subject",
+        "--signing-key-file",
         type=str,
-        help="subject to correlate statements made about an artifact.",
+        help="filepath to the stored ecdsa P-256 signing key, in pem format.",
+        default="scitt-signing-key.pem",
     )
 
     args = parser.parse_args()

scitt-scripts/dump_cbor.py

@@ -0,0 +1,38 @@
+""" Module for dumping a CBOR file """
+
+import argparse
+from pprint import pprint
+from pycose.messages import Sign1Message
+
+
+def main():
+    """Dumps content of a supposed CBOR file"""
+
+    parser = argparse.ArgumentParser(
+        description="Dumps content of a supposed CBOR file"
+    )
+
+    # Signed Statement file
+    parser.add_argument(
+        "--input",
+        type=str,
+        help="filepath to the CBOR file.",
+        default="transparent-statement.cbor",
+    )
+
+    args = parser.parse_args()
+
+    with open(args.input, "rb") as data_file:
+        data = data_file.read()
+        message = Sign1Message.decode(data)
+        print("\ncbor decoded cose sign1 statement:\n")
+        print("protected headers:")
+        pprint(message.phdr)
+        print("\nunprotected headers: ")
+        pprint(message.uhdr)
+        print("\npayload: ", message.payload)
+        print("payload hex: ", message.payload.hex())
+
+
+if __name__ == "__main__":
+    main()