-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
in-toto-golang does not provide defaults for excluding artifacts #207
Comments
Hi @anotherbridge, this is caused because the first time you ran verification, it created some artifacts (it untar-ed the archive and created link metadata for the inspection). Subsequent verification attempts record these artifacts and consider them invalid. Can you try your comparison in two clean copies of the demo repo? Thanks! |
Hey, thanks for the response @adityasaky. Unfortunately when running the same in two different and clean copies of the demo repo the same occurs. For the Python version everything works fine, but when running the verification with the Go version I'm still getting the same error:
This was the directory structure before I ran the verification in both cases:
Again here are the |
Good catch, @anotherbridge! Here's why this is happening: https://github.com/in-toto/in-toto/blob/fbc1eb053dd39c6d1fb307a60bd2c781e667c931/in_toto/settings.py#L39 The Python implementation automatically excludes recording certain artifacts which the Go implementation does not. @lukpueh and @shibumi, do we add these defaults to the Go implementation? |
Thanks very much @adityasaky! That explains the behavior. And when explicitly allowing the |
Great! I'm going to edit this ticket to record exactly why this is happening. |
Hey @adityasaky, I would like to take up this issue. |
I'm actually less sure if we should patch it here or in in-toto-python. IMO the default excludes is not immediately obvious and potentially unexpected behaviour to a newcomer. @lukpueh WDYT? |
Note: this has been edited by @adityasaky to capture the underlying issue. The original issue filed by @anotherbridge is below.
General information:
in-toto-golang does not provide a default set of patterns to exclude like the Python reference implementation. See: https://github.com/in-toto/in-toto/blob/fbc1eb053dd39c6d1fb307a60bd2c781e667c931/in_toto/settings.py#L39
This causes some differences in behaviour when using this implementation instead of the reference implementation. This difference can be observed when using in-toto-golang with in-toto/demo during its
untar
inspection. The go implementation does not automatically exclude the link metadata stored infinal_product
for the steps performed thus far.Current behaviour:
No defaults for artifact excludes.
Expected behaviour:
Same defaults for artifact excludes as the Python reference implementation.
Original Issue
General information:
I did compare the Python and Golang versions of the in-toto-framework. In order to do so I followed the demo-project.
During the verifification step the golang version seemed to have generated a corrupt
untar.link
file.go version go1.19.6
Description of the bug:
When building the in-toto binary I ran:
According to the output all the tests seemed to be successful. Then I followed all the steps described in the demo project. All steps worked as expected when using the in-toto Golang version (denoted as
in-toto-golang
) until the point of verification. When running the verification step something interesting happened:in-toto-verify --layout root.layout --layout-key alice.pub
resulted in a success and return status 0.in-toto-golang verify --layout root.layout --layout-keys alice.pub
resulted in the following output:untar.link
as generated by the go version) again and got the following result back:The two versions of the
untar.link
file are given as follows:Golang
Python
P.S. I had to add a
.txt
extension to both of the files, since GitHub wouldn't let me upload them otherwise.The text was updated successfully, but these errors were encountered: