Skip to content

Commit

Permalink
Canonicalize JSON before signing
Browse files Browse the repository at this point in the history 
This is required by the [in-toto spec](https://github.com/in-toto/docs/blob/master/in-toto-spec.md#4-document-formats).

Signed-off-by: Pieter Lexis <[email protected]>
  • Loading branch information
@pieterlexis
pieterlexis committed Dec 16, 2021
1 parent 97f4f3b commit d5630fb
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 2 deletions.
4 changes: 2 additions & 2 deletions cmd/slsa-provenance/cli/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"io/ioutil"
"os"

cjson "github.com/docker/go/canonical/json"
"github.com/pkg/errors"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/dsse"
Expand Down Expand Up @@ -52,9 +53,8 @@ func Sign() *cobra.Command {

wrappedSigner := dsse.WrapSigner(signer, intoto.InTotoPayloadType)

// TODO canonicalize the provenance
var toSign []byte
if toSign, err = json.Marshal(provenance); err != nil {
if toSign, err = cjson.MarshalCanonical(provenance); err != nil {
// Should be impossible, but hey!
return errors.Wrap(err, "Could not marshal provenance for signing")
}
Expand Down
1 change: 1 addition & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ require (

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/go v1.5.1-1
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,8 @@ github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/go v1.5.1-1 h1:hr4w35acWBPhGBXlzPoHpmZ/ygPjnmFVxGxxGnMyP7k=
github.com/docker/go v1.5.1-1/go.mod h1:CADgU4DSXK5QUlFslkQu2yW2TKzFZcXq/leZfM0UH5Q=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
Expand Down

0 comments on commit d5630fb

Please sign in to comment.