Squashed 'subtrees/go-witness/' changes from 0b28c0f5..8fbc70b1

8fbc70b1 chore: bump github.com/aws/aws-sdk-go from 1.50.30 to 1.50.38 (in-toto#196)
289e9b23 chore: bump k8s.io/apimachinery from 0.29.2 to 0.29.3 (in-toto#195)
5429db56 chore: bump cloud.google.com/go/kms from 1.15.7 to 1.15.8 (in-toto#194)
7f6ea51e chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.8 to 1.27.9 (in-toto#193)
53610c1b chore: bump actions/dependency-review-action from 4.1.3 to 4.2.4 (in-toto#192)
29296244 chore: bump softprops/action-gh-release from 2.0.3 to 2.0.4 (in-toto#191)
ed8ae371 chore: bump github/codeql-action from 3.24.8 to 3.24.9 (in-toto#190)
fe836545 chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.8 (in-toto#189)
27a5a540 chore: bump actions/checkout from 4.1.1 to 4.1.2 (in-toto#188)
e12f3e75 chore: bump github/codeql-action from 3.24.6 to 3.24.8 (in-toto#187)
981d0fbd chore: bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (in-toto#186)
629e83ac chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.29.1 to 1.29.2 (in-toto#183)
22975635 chore: bump google.golang.org/grpc from 1.62.0 to 1.62.1 (in-toto#182)
c479bdb4 chore: bump softprops/action-gh-release from 1 to 2 (in-toto#181)
af6cb4b7 chore: bump gopkg.in/go-jose/go-jose.v2 from 2.6.2 to 2.6.3 (in-toto#179)
f0cd5b11 chore: bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 (in-toto#180)
31febef5 chore: bump github.com/aws/aws-sdk-go from 1.50.27 to 1.50.30 (in-toto#177)
61776d68 chore: bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (in-toto#178)
2aac8f3f chore: bump actions/download-artifact from 4.1.2 to 4.1.4 (in-toto#176)
73f387a9 chore: bump github/codeql-action from 3.24.5 to 3.24.6 (in-toto#175)
2604d61e 168 support all fulcio cert extensions (in-toto#174)
b6f3a568 fix: reset verifier each iteration while loading pub keys from policy (in-toto#173)
0d420e02 chore: bump google.golang.org/grpc from 1.61.0 to 1.61.1 (in-toto#171)
a7362f41 chore: bump actions/dependency-review-action from 4.1.1 to 4.1.3 (in-toto#170)
f0456d7c chore: bump github/codeql-action from 3.24.3 to 3.24.5 (in-toto#169)
98357187 chore: bump github/codeql-action from 3.24.0 to 3.24.3 (in-toto#162)
ac085845 chore: bump k8s.io/apimachinery from 0.26.13 to 0.26.14 (in-toto#161)
c2607968 chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.45 (in-toto#160)
7dbbdbdb chore: bump cloud.google.com/go/kms from 1.15.2 to 1.15.7 (in-toto#158)
8278d008 chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.20.4 to 1.20.12 (in-toto#157)
856f1a04 chore: bump actions/download-artifact from 4.1.1 to 4.1.2 (in-toto#163)
7732ec53 chore: bump fossas/fossa-action from 1.3.1 to 1.3.3 (in-toto#164)
4dcce5ec chore: bump actions/dependency-review-action from 4.0.0 to 4.1.1 (in-toto#165)
5e54141d chore: bump testifysec/witness-run-action from 0.1.3 to 0.1.5 (in-toto#166)
57ca28ab Add Tom as an official maintainer (in-toto#156)
f7a1037f KMS Support (in-toto#120)
c5816df0 fix: vault warnings are an array, not a string (in-toto#153)
94153c72 chore: bump actions/checkout from 3.6.0 to 4.1.1 (in-toto#151)
5fe9d92f chore: bump step-security/harden-runner from 2.6.1 to 2.7.0 (in-toto#152)
ed3767b5 chore: bump actions/upload-artifact from 4.3.0 to 4.3.1 (in-toto#154)
94717f0e chore: bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (in-toto#155)
95cf785f chore: bump github/codeql-action from 3.23.2 to 3.24.0 (in-toto#150)
f07f03c9 [StepSecurity] ci: Harden GitHub Actions (in-toto#148)
86f50965 Checking policy signature against cert constraints (in-toto#144)
3ce1385b Adding workaround due to failing workflows (in-toto#145)
4f2a630a RunAttestors refactor (in-toto#131)
be75142a fixing error in github actions workflow (in-toto#147)
77a9f42e Adding job to auto cut releases (in-toto#141)
fa5d2caa chore: bump github/codeql-action from 3.23.1 to 3.23.2 (in-toto#143)
b8734c70 chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 (in-toto#142)
027b47d0 refactor: move gitoid code to cyrptoutil, use digestvalue everywhere (in-toto#139)
2cb096b7 Adding policy intermediates option to verify function (in-toto#138)
33998ffe Improved the search to be concurrent (in-toto#62)
cfcb7cc5 Moving the timestamper interfaces to the timestamp directory (in-toto#132)
dd59a2ba chore: bump actions/dependency-review-action from 3.1.5 to 4.0.0 (in-toto#137)
45992877 chore: bump github/codeql-action from 3.23.0 to 3.23.1 (in-toto#136)
6c44e5b1 chore: bump actions/upload-artifact from 4.1.0 to 4.2.0 (in-toto#135)
884637a8 chore: bump k8s.io/apimachinery from 0.26.12 to 0.26.13 (in-toto#134)
acaefcf0 chore: bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 (in-toto#133)
07128d24 Included tests for GitHub attestations (in-toto#61)
3e7ddccb Included Tests for memory.go LoadEnvelope and Search (in-toto#59)

git-subtree-dir: subtrees/go-witness
git-subtree-split: 8fbc70b1d7db128d88f2aba60e16c97ff267d583

.github/workflows/codeql.yml

@@ -55,16 +55,16 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -74,7 +74,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -87,6 +87,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -31,11 +31,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5
+        uses: actions/dependency-review-action@733dd5d4a5203f238c33806593ec0f5fc5343d8c # v4.2.4

.github/workflows/fossa.yml

@@ -20,9 +20,9 @@ jobs:
       steps:
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Checkout Code"
-          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Run FOSSA Scan"
-          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
           with:
             api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/golangci-lint.yml

@@ -30,16 +30,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: "go.mod"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
           version: latest
           args: --timeout=3m
+          skip-pkg-cache: true

.github/workflows/release.yml

@@ -55,3 +55,13 @@ jobs:
       command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
       artifact-upload-name: profile.cov
       artifact-upload-path: profile.cov
+
+  release:
+    needs: [fmt, sast, unit-test]
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Release
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4

.github/workflows/scorecards.yml

@@ -45,12 +45,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           persist-credentials: false
 
@@ -77,14 +77,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: results.sarif

.github/workflows/verify-licence.yml

@@ -27,11 +27,11 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: Harden Runner
-          uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+          uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
           with:
             egress-policy: audit
 
-        - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
           with:
             go-version: '1.21.x'

.github/workflows/witness.yml

@@ -51,23 +51,23 @@ jobs:
             id-token: write
         steps:
           - name: Harden Runner
-            uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+            uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
             with:
               egress-policy: audit
 
-          - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
             with:
               go-version: 1.21.x
 
           - if: ${{ inputs.artifact-download != '' }}
-            uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+            uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
             with:
               name: ${{ inputs.artifact-download }}
               path: /tmp
 
           - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8
             with:
               step: pre-${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
@@ -76,7 +76,7 @@ jobs:
             run: ${{ inputs.pre-command }}
 
           - if: ${{ inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8
             with:
               step: ${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
@@ -85,7 +85,7 @@ jobs:
             run: ${{ inputs.command }}
 
           - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
-            uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
+            uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
             with:
               name: ${{ inputs.artifact-upload-name }}
               path: ${{ inputs.artifact-upload-path }}

.gitignore

@@ -12,3 +12,6 @@ test/scorecard.json
 log
 sarif-report.json
 test/log
+.idea/
+profile.cov
+.vscode/

.golangci.yml

@@ -0,0 +1,32 @@
+# Copyright 2024 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+linters:
+  enable:
+  - unused
+  - errcheck
+  - gofmt
+  - goimports
+output:
+  uniq-by-line: false
+issues:
+  exclude-rules:
+  # the following section is due to the legacy cert fields being deprecated
+  - path: policy/constraints.go
+    linters:
+    - staticcheck
+    text: SA1019
+run:
+  issues-exit-code: 1
+  timeout: 10m

MAINTAINERS.md

@@ -2,7 +2,8 @@
 
 | Name                       | GitHub          |
 |----------------------------|-----------------|
-| Cole Kennedy (TestifySec)      | [@colek42](https://github.com/colek42) |
-| John Kjell (TestifySec)     | [@jkjell](https://github.com/jkjell) |
+| Cole Kennedy (TestifySec)  | [@colek42](https://github.com/colek42) |
+| John Kjell (TestifySec)    | [@jkjell](https://github.com/jkjell) |
+| Tom Meadows (TestifySec)   | [@ChaosInTheCRD](https://github.com/ChaosInTheCRD) |
+| Aditya Sirish (NYU)        | [@adityasaky](https://github.com/adityasaky) |
 | Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) |
-| Aditya Sirish (NYU)       | [@adityasaky](https://github.com/adityasaky) |

archivista/store.go

@@ -22,7 +22,7 @@ import (
 )
 
 func (c *Client) Store(ctx context.Context, env dsse.Envelope) (string, error) {
-	resp, err := archivistaapi.Store(ctx, c.url, env)
+	resp, err := archivistaapi.Upload(ctx, c.url, env)
 	if err != nil {
 		return "", err
 	}

attestation/aws-iid/aws-iid.go

@@ -80,7 +80,7 @@ func init() {
 
 type Attestor struct {
 	ec2metadata.EC2InstanceIdentityDocument
-	hashes    []crypto.Hash
+	hashes    []cryptoutil.DigestValue
 	session   session.Session
 	conf      *aws.Config
 	RawIID    string `json:"rawiid"`
@@ -195,7 +195,7 @@ func (a *Attestor) Verify() error {
 }
 
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
-	hashes := []crypto.Hash{crypto.SHA256}
+	hashes := []cryptoutil.DigestValue{{Hash: crypto.SHA256}}
 	subjects := make(map[string]cryptoutil.DigestSet)
 	if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.InstanceID), hashes); err == nil {
 		subjects[fmt.Sprintf("instanceid:%s", a.EC2InstanceIdentityDocument.InstanceID)] = ds

attestation/commandrun/commandrun.go

@@ -115,9 +115,10 @@ type CommandRun struct {
 
 func (rc *CommandRun) Attest(ctx *attestation.AttestationContext) error {
 	if len(rc.Cmd) == 0 {
-		return attestation.ErrInvalidOption{
-			Option: "Cmd",
-			Reason: "CommandRun attestation requires a command to run",
+		return attestation.ErrAttestor{
+			Name:    rc.Name(),
+			RunType: rc.RunType(),
+			Reason:  "CommandRun attestation requires a command to run",
 		}
 	}
 

attestation/commandrun/tracing_linux.go

@@ -18,7 +18,6 @@ package commandrun
 
 import (
 	"bytes"
-	"crypto"
 	"fmt"
 	"os"
 	"os/exec"
@@ -42,7 +41,7 @@ type ptraceContext struct {
 	mainProgram          string
 	processes            map[int]*ProcessInfo
 	exitCode             int
-	hash                 []crypto.Hash
+	hash                 []cryptoutil.DigestValue
 	environmentBlockList map[string]struct{}
 }