Merge branch 'main' into dirhash-glob

.github/workflows/codeql.yml

@@ -55,7 +55,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -64,7 +64,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -74,7 +74,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/autobuild@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -87,6 +87,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 

.github/workflows/fossa.yml

@@ -23,6 +23,6 @@ jobs:
           uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Run FOSSA Scan"
-          uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
+          uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
           with:
             api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/golangci-lint.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -43,4 +43,4 @@ jobs:
         with:
           version: latest
           args: --timeout=3m
-          skip-pkg-cache: true
+          skip-cache: true

.github/workflows/scorecards.yml

@@ -45,7 +45,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -77,14 +77,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           sarif_file: results.sarif

.github/workflows/verify-licence.yml

@@ -27,7 +27,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: Harden Runner
-          uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+          uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
           with:
             egress-policy: audit
 

.github/workflows/witness.yml

@@ -51,7 +51,7 @@ jobs:
             id-token: write
         steps:
           - name: Harden Runner
-            uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+            uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
             with:
               egress-policy: audit
 
@@ -85,7 +85,7 @@ jobs:
             run: ${{ inputs.command }}
 
           - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
-            uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+            uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
             with:
               name: ${{ inputs.artifact-upload-name }}
               path: ${{ inputs.artifact-upload-path }}

attestation/policyverify/policyverify.go

@@ -27,6 +27,7 @@ import (
 	ipolicy "github.com/in-toto/go-witness/internal/policy"
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/policy"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/slsa"
 	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/go-witness/timestamp"
@@ -54,10 +55,11 @@ type Attestor struct {
 	*ipolicy.VerifyPolicySignatureOptions
 	slsa.VerificationSummary
 
-	stepResults      map[string]policy.StepResult
-	policyEnvelope   dsse.Envelope
-	collectionSource source.Sourcer
-	subjectDigests   []string
+	stepResults        map[string]policy.StepResult
+	policyEnvelope     dsse.Envelope
+	collectionSource   source.Sourcer
+	subjectDigests     []string
+	kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)
 }
 
 type Option func(*Attestor)
@@ -76,6 +78,12 @@ func VerifyWithPolicyEnvelope(policyEnvelope dsse.Envelope) Option {
 	}
 }
 
+func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) Option {
+	return func(a *Attestor) {
+		a.kmsProviderOptions = opts
+	}
+}
+
 func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) Option {
 	return func(vo *Attestor) {
 		for _, set := range subjectDigests {
@@ -149,7 +157,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		return fmt.Errorf("failed to unmarshal policy from envelope: %w", err)
 	}
 
-	pubKeysById, err := pol.PublicKeyVerifiers()
+	pubKeysById, err := pol.PublicKeyVerifiers(a.kmsProviderOptions)
 	if err != nil {
 		return fmt.Errorf("failed to get public keys from policy: %w", err)
 	}

policy/policy.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/signer/kms"
 	"github.com/in-toto/go-witness/source"
 
@@ -55,18 +56,39 @@ type PublicKey struct {
 }
 
 // PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID
-func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) {
+func (p Policy) PublicKeyVerifiers(ko map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) (map[string]cryptoutil.Verifier, error) {
 	verifiers := make(map[string]cryptoutil.Verifier)
 	var err error
 
 	for _, key := range p.PublicKeys {
 		var verifier cryptoutil.Verifier
 		for _, prefix := range kms.SupportedProviders() {
 			if strings.HasPrefix(key.KeyID, prefix) {
-				verifier, err = kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")).Verifier(context.TODO())
+				ksp := kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256"))
+				var vp signer.SignerProvider
+				for _, opt := range ksp.Options {
+					pn := opt.ProviderName()
+					for _, setter := range ko[pn] {
+						vp, err = setter(ksp)
+						if err != nil {
+							continue
+						}
+					}
+				}
+
+				if vp != nil {
+					var ok bool
+					ksp, ok = vp.(*kms.KMSSignerProvider)
+					if !ok {
+						return nil, fmt.Errorf("provided verifier provider is not a KMS verifier provider")
+					}
+				}
+
+				verifier, err = ksp.Verifier(context.TODO())
 				if err != nil {
-					return nil, fmt.Errorf("KMS Key ID recognized but not valid: %w", err)
+					return nil, fmt.Errorf("failed to create kms verifier: %w", err)
 				}
+
 			}
 		}
 

policy/policy_test.go

@@ -31,6 +31,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/commandrun"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/intoto"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/source"
 	"github.com/invopop/jsonschema"
 	"github.com/stretchr/testify/assert"
@@ -483,7 +484,7 @@ func TestPubKeyVerifiers(t *testing.T) {
 				}
 			}
 
-			verifiers, err := p.PublicKeyVerifiers()
+			verifiers, err := p.PublicKeyVerifiers(map[string][]func(signer.SignerProvider) (signer.SignerProvider, error){})
 			if testCase.expectedErr == nil {
 				assert.NoError(t, err)
 				assert.Len(t, verifiers, testCase.expectedLen)

signer/kms/aws/client.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -303,7 +304,6 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider)
 	}
 
 	opts := []func(*config.LoadOptions) error{}
-
 	if a.options.insecureSkipVerify {
 		log.Warn("InsecureSkipVerify is enabled for AWS KMS attestor")
 		opts = append(opts, config.WithHTTPClient(&http.Client{
@@ -320,6 +320,9 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider)
 		}
 
 		log.Debug("Using file ", f, " as credentials file for AWS KMS provider")
+		if _, err := os.ReadFile(f); err != nil {
+			return fmt.Errorf("error reading credentials file: %w", err)
+		}
 		opts = append(opts, config.WithSharedCredentialsFiles([]string{f}))
 	}
 

verify.go

@@ -27,6 +27,7 @@ import (
 	"github.com/in-toto/go-witness/dsse"
 	ipolicy "github.com/in-toto/go-witness/internal/policy"
 	"github.com/in-toto/go-witness/policy"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/slsa"
 	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/go-witness/timestamp"
@@ -49,6 +50,7 @@ type verifyOptions struct {
 	verifyPolicySignatureOptions []ipolicy.Option
 	runOptions                   []RunOption
 	signers                      []cryptoutil.Signer
+	kmsProviderOptions           map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)
 }
 
 type VerifyOption func(*verifyOptions)
@@ -121,6 +123,12 @@ func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption {
 	}
 }
 
+func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) VerifyOption {
+	return func(vo *verifyOptions) {
+		vo.kmsProviderOptions = opts
+	}
+}
+
 type VerifyResult struct {
 	RunResult
 	VerificationSummary slsa.VerificationSummary
@@ -148,7 +156,12 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [
 	vo.runOptions = append(vo.runOptions,
 		RunWithAttestors(
 			[]attestation.Attestor{
-				policyverify.New(vo.attestorOptions...),
+				policyverify.New(
+					append(
+						[]policyverify.Option{policyverify.VerifyWithKMSProviderOptions(vo.kmsProviderOptions)},
+						vo.attestorOptions...,
+					)...,
+				),
 			},
 		),
 	)