Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user agent to online Rekor requests and TUF requests. #216

Merged
merged 4 commits into from
Jul 2, 2024
Merged

Add user agent to online Rekor requests and TUF requests. #216

merged 4 commits into from
Jul 2, 2024

Conversation

steiza
Copy link
Member

@steiza steiza commented Jun 25, 2024

Summary

For #143.

One way to test this is to set up a fake TUF server locally with something like nc -l 8000 and then attempt a verification with something like:

go run cmd/sigstore-go/main.go -artifact examples/sigstore-go-signing/hello_world.txt -tufRootURL http://127.0.0.1:8000 -expectedSANRegex ".+" -expectedIssuer "https://token.actions.githubusercontent.com" examples/bundle-provenance.json

Note that this verification won't succeed, this is just to see that the User-Agent is being set.

Depends on theupdateframework/go-tuf#642.

Release Note

  • Rekor verification and TUF client additionally send User-Agent header with requests

Documentation

N/A

@steiza steiza mentioned this pull request Jun 25, 2024
Merged
@steiza
Add pkg/util/util.go
1894da8 
Signed-off-by: Zach Steindler <[email protected]>
@steiza steiza mentioned this pull request Jun 25, 2024
Closed
@steiza
Copy link
Member Author

steiza commented Jun 25, 2024

Note that some checks will fail until theupdateframework/go-tuf#642 lands, which this depends on.

@steiza steiza marked this pull request as ready for review July 1, 2024 14:50
@steiza steiza requested a review from a team July 1, 2024 14:50
haydentherapper
haydentherapper previously approved these changes Jul 1, 2024
View reviewed changes
@codysoyland
Copy link
Member

codysoyland commented Jul 1, 2024
edited
Loading

The LibraryVersion value won't be set when this is used as a library (it must be set with LDFLAGS, so projects that import sigstore-go must set that value). Can we switch to the debug/buildinfo package for this?

codysoyland
codysoyland requested changes Jul 1, 2024
View reviewed changes
Copy link
Member

@codysoyland codysoyland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See last comment

@steiza
Copy link
Member Author

steiza commented Jul 1, 2024

Can we switch to the debug/buildinfo package for this?

Sure! That turns out to have simplified things considerably.

haydentherapper
haydentherapper approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oo nice, this cleans up well!

codysoyland
codysoyland approved these changes Jul 1, 2024
View reviewed changes
Copy link
Member

@codysoyland codysoyland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! One small caveat with that debug.ReadBuildInfo() solution is that the version is not read from git tags when using go build to build the sigstore-go CLI (it outputs just (devel) in that case). However, when using it as a package, or when installing with go install pkg@version, it should contain the tagged version. I'm okay with that caveat personally.

@steiza steiza merged commit 87bfa5b into main Jul 2, 2024
11 checks passed
@steiza steiza deleted the more-user-agents branch July 2, 2024 12:26
@steiza steiza mentioned this pull request Jul 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codysoyland codysoyland codysoyland approved these changes

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@steiza @codysoyland @haydentherapper