Conversation
Do the documentation changes need to be backported?Changes to
|
|
| if err := os.WriteFile(filepath.Join(flags.workspaceDir, nextTransitionHashFilename), []byte(transitionHashHex), 0o644); err != nil { | ||
| return fmt.Errorf("writing transition hash: %w", err) | ||
| } | ||
| fmt.Fprintf(cmd.OutOrStdout(), "✔️ Transition hash %s written to %s\n", transitionHashHex, filepath.Join(flags.workspaceDir, nextTransitionHashFilename)) |
There was a problem hiding this comment.
Do we want to write to a file here or to stdout? I've written it to a file for now since we compute the signature over a file when using openssl.
| if grpcSt.Code() == codes.PermissionDenied { | ||
| msg := "Permission denied." | ||
| if workloadOwnerKey == nil { | ||
| msg += " Specify a workload owner key with --workload-owner-key." |
There was a problem hiding this comment.
Should we change something here? I'm not sure if this still makes sense considering an error when validating the manifest signature.
| return nil, status.Errorf(codes.FailedPrecondition, "previous transition hash '%x' does not match latest state '%x'", req.GetPreviousTransitionHash(), oldState.LatestTransition().TransitionHash) | ||
| } | ||
| } else { | ||
| // First SetManifest call, initialize seed engine. |
There was a problem hiding this comment.
I'm also not sure if we need to consider a signed manifest update on a first set manifest call. It doesn't really make sense but it is possible to pass a signature here. The only thing we could do though is check if the signature is valid for a key in the new manifest. For atomic updates we check if the provided previous hash is empty, but here the previous hash would be integrated into the signature...
1 participant
This PR allows setting a manifest without the CLI having access to the workload owner key. A user can instead pass a signature to the CLI which, when verified by the Coordinator using one of the workload owner keys from current manifest, authorizes the manifest update.
The user has to use the
--dry-runflag ofcontrast setto obtain the blob to sign:contrast set --dry-run resources/The user can then use some other tool with potentially HSM managed keys to generate a signature over the transition blob:
The signature is then passed to the CLI instead of a workload owner key:
contrast set --signature transition.sig resources/