A package that is quite pointless
Project description
This is homework1 of CS-GY/UY 3943/9223 SUpply Chain Secrity
set-up:
This entire project is based on the sigstore cosign tools on linux:
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
If you have go or homebrew it would be easier.
Signing an artifact:
- Sign an artifact using cosign tool with your identity using:
cosign sign-blob <file> --bundle cosign.bundle
You can also refer to the official cosign tutorial
After signing an artifact:
commands:
python3 main.py -c
python3 main.py --inclusion <artifact>
# (the last argument can be changed to anything you signed)
python3 main.py --consistency
Important notes:
- This repo runs a Trufflehog
command to scan each latest commit attempt to prevent secret leak,
however, the local repo on linux environment resulted in likely non-functional
pre-commit config. The Docker image of Trufflehog does not support laetst one-
commit scan. For Mac environment, modify
pre-commit-config.yaml, line 7, to:entry: bash -c 'trufflehog git file://. --since-commit HEAD --no-verification --fail --max-depth=1'
notes
The point of this homework is the know-how of cosign tools, i particular the rekor APIs
-
the "security" is implemented as a merkle tree, and in this homework I compare two nodes in the tree: the latest checkpoint provided by Rekor that is just simply literally the latest checkpoint and the checkpoint of my own signed artifact which is retrievable via api call using the log index generated when I signed the artifact.
-
somehow against my simple understanding of the merkle tree implementation, the "treeSize" filed goes backward: If you check the log index 1 on Rekor, the tree size is huge (4163431) while by the point I did this homework and signed a dummy, the size is only 1110000+ ~ish, I wonder what happens when number reaches 0.
-
prof explained in class that this implementation is lighter-weight than actual blockchain but I don't quite see why or how.
reference materials:
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hmk1-0.1.1.tar.gz.
File metadata
- Download URL: hmk1-0.1.1.tar.gz
- Upload date:
- Size: 3.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.10.12 Linux/6.8.0-49-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f8462ce46d60e7978f6844c71dc3837bdc6f853191efb46b76aa57e2073b56c0
|
|
| MD5 |
b1918a6c3aaaa3901544972f2c00f0f4
|
|
| BLAKE2b-256 |
556be0c76320ea9e9eeadf90b933d0b1b4118f3812e82bcb2c16d011f47bc470
|
File details
Details for the file hmk1-0.1.1-py3-none-any.whl.
File metadata
- Download URL: hmk1-0.1.1-py3-none-any.whl
- Upload date:
- Size: 3.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.10.12 Linux/6.8.0-49-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
16f7a25546188c257be830f6e8618c5517359dd330dc85fb25024426c947ded5
|
|
| MD5 |
bd279bb131f23052136fd27e8d402a38
|
|
| BLAKE2b-256 |
4111bd4fcaefac5deafcd2a22e19e3b28dda0d7189bc8fbdb27d7b7939d12beb
|
