Skip to content

fix(cmd/verify): automatically leverage attestation subjects to resolve artifactsFrom #758

Open
Jaydeep869 wants to merge 3 commits intoin-toto:mainfrom
Jaydeep869:fix-verify-artifacts-from
Open

fix(cmd/verify): automatically leverage attestation subjects to resolve artifactsFrom #758
Jaydeep869 wants to merge 3 commits intoin-toto:mainfrom
Jaydeep869:fix-verify-artifacts-from

Conversation

@Jaydeep869
Copy link
Copy Markdown
Contributor

@Jaydeep869 Jaydeep869 commented Apr 5, 2026

What this PR does / why we need it

When utilizing the artifactsFrom directive with purely materials and products attestators, policy verification fails downstream because these types do not contain explicit backrefs intrinsically tying their step to the downstream step artifact. This decouples the source products from the destination materials, causing the verifier to only use the modified artifact's hash (-f) as the subject and essentially ignoring the original inputs. Users were forced to manually re-inject the older hashes utilizing -s <hash>.

Rather than fundamentally rewriting the verifier engine in in-toto/go-witness to bypass backrefs, this PR bridges the gap automatically at the CLI level.

Specifically, this commit introduces an extractSubjectsFromAttestations helper natively into the witness verify command in cmd/verify.go. Any file passed securely via the -a attestation flag is naturally decompressed, its .Statement.Subject.Digest payloads are enumerated, and its respective artifact hashes are converted into cryptoutil.DigestSet objects.

These extracted arrays are organically appended behind the scenes directly to the subject search pool (vo.AdditionalSubjects) alongside the final -f artifact representation. This completely automates the -s manual bypass technique originally discussed in #416.

Which issue(s) this PR fixes (optional)

Fixes #416

Acceptance Criteria Met

  • Docs changes if needed
  • Testing changes if needed
  • All workflow checks passing (automatically enforced)
  • All review conversations resolved (automatically enforced)
  • DCO Sign-off

Special notes for your reviewer:
Tested locally against DSSE artifacts. This automates passing the subjects explicitly via -s whenever -a is provided, preventing the trace from breaking downstream.

@Jaydeep869
fix(cmd/verify): automatically leverage attestation subjects to resol…
83a6cb6 
…ve artifactsFrom

When users provide explicit attestations via the '-a' flag, the verifier
would previously fail to map materials to products across steps utilizing
the 'artifactsFrom' directive unless explicit backrefs were stored.

This commit implements a graceful wrapper. It securely parses DSSE envelopes
for any attestations passed via '-a' and artificially populates the search
pool with their respective subjects. This effectively auto-resolves downstream
materials to upstream products, eliminating the need to manually pass old hashes
using the '-s' parameter.

Signed-off-by: jaydeep869 <jaydeeppokhariya2106@gmail.com>
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 5, 2026
edited
Loading

Deploy Preview for witness-project ready!

Name Link
🔨 Latest commit daeed1d
🔍 Latest deploy log https://app.netlify.com/projects/witness-project/deploys/69d8cbfce9069c0008d41f56
😎 Deploy Preview https://deploy-preview-758--witness-project.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Jaydeep869
fix(cmd/verify): ignore or handle errcheck for file.Close on read ope…
2d8b204 
…rations

Signed-off-by: jaydeep869 <jaydeeppokhariya2106@gmail.com>
@matglas matglas added the bug Something isn't working label Apr 6, 2026
jkjell
jkjell reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jkjell jkjell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Would you be able to add a unit test for the new function and an integration test showing this working with two local attestations?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkjell jkjell jkjell left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Using artifactsFrom fails when backrefs don't exist

3 participants

@Jaydeep869 @jkjell @matglas