Improve file-details with certificate claims #17145

DarkaMaul · 2024-11-21T10:07:46Z

Expose Certificate Claims in UI

This PR implements the UI display of Sigstore certificate claims, providing a more comprehensive view of package attestations.

Implementation Details

Displays certificate claims extracted from Sigstore certificates using pypi-attestation
pypi-attestation returns a dict[str, str] mapping OIDs (dotted strings) to their decoded values
Only active OIDs from the Fulcio Claims list are included (OIDs .8 to .22)

Dependencies

Requires Add claims to Attestation trailofbits/pypi-attestations#70
Currently using a temporary container update for pypi-attestation (to be removed before merge)

Closes #17122
/cc @di @woodruffw @facutuesca

# Conflicts: # warehouse/templates/includes/file-details.html

woodruffw · 2024-11-22T17:28:03Z

Dockerfile

@@ -220,7 +220,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    set -x \
    && apt-get update \
    && apt-get install --no-install-recommends -y \
-        libpq5 libxml2 libxslt1.1 libcurl4  \


Just flagging for review: this needs to be removed before merge.

woodruffw · 2024-11-22T17:39:38Z

warehouse/templates/includes/file-details.html

+              {% set claims = attestation.certificate_claims %}
+              Source repository:
+              <ul>
+                <!-- 1.3.6.1.4.1.57264.1.12 | Source Repository URI-->
+                <!-- 1.3.6.1.4.1.57264.1.13 | Source Repository Digest-->
+                <li>Permalink: <a href="{{ repo_url_with_reference(claims.get("1.3.6.1.4.1.57264.1.12"), claims.get("1.3.6.1.4.1.57264.1.13")) }}">
+                    <code>{{ repository_name(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>
+                </a></li>
+                <!-- 1.3.6.1.4.1.57264.1.14 | Source Repository Ref-->
+                <li>Branch / Tag: <a href="{{ repo_url_with_reference(claims.get("1.3.6.1.4.1.57264.1.12"), claims.get("1.3.6.1.4.1.57264.1.14")) }} ">
+                    <code>{{ claims.get("1.3.6.1.4.1.57264.1.14") }}</code>
+                </a></li>
+                <!-- 1.3.6.1.4.1.57264.1.15 | Source Repository Identifier-->
+                <!-- 1.3.6.1.4.1.57264.1.16 | Source Repository Owner URI-->
+                <li>Owner: <a href="{{ claims.get("1.3.6.1.4.1.57264.1.16") }}">{{ claims.get("1.3.6.1.4.1.57264.1.16") }}</a></li>
+                <!-- 1.3.6.1.4.1.57264.1.17 | Source Repository Owner Identifier-->
+                <!-- 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing-->
+                <li>Access: <code>{{ claims.get("1.3.6.1.4.1.57264.1.22") }}</code></li>
+              </ul>
+              Build information:
+              <ul>
+                <!-- 1.3.6.1.4.1.57264.1.8 | Issuer-->
+                <!-- 1.3.6.1.4.1.57264.1.9 | Build Signer URI-->
+                <!-- 1.3.6.1.4.1.57264.1.10 | Build Signer Digest-->
+                <li>Token Issuer: <code>{{ claims.get("1.3.6.1.4.1.57264.1.8") }}</code></li>
+                <!-- 1.3.6.1.4.1.57264.1.11 | Runner Environment-->
+                <li>Build Environment: <code>{{ claims.get("1.3.6.1.4.1.57264.1.11") }}</code></li>
+                <!-- 1.3.6.1.4.1.57264.1.18 | Build Config URI-->
+                <!-- 1.3.6.1.4.1.57264.1.19 | Build Config Digest-->
+                <li>Build Configuration File:
+                  <a href="{{ workflow_url(bundle.publisher, claims) }}">
+                    <code>{{ workflow_filename(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.19") }}</code>
+                  </a>
+                </li>
+                <!-- 1.3.6.1.4.1.57264.1.20 | Build Trigger-->
+                <li>Trigger Event: <code>{{ claims.get("1.3.6.1.4.1.57264.1.20") }}</code></li>
+                <!-- 1.3.6.1.4.1.57264.1.21 | Run Invocation URI-->
+              </ul>


Doing these mappings/selections within the template is likely going to be brittle/hard to test going forwards -- I think we'd be better off defining a Jinja2 function or other helper within the Python codebase to do these transforms.

(I'm not 100% sure how best to do this, since the way we render each claim varies based on its content/expected format, e.g. URLs. Maybe @di has thoughts?)

woodruffw · 2024-11-22T17:40:54Z

warehouse/templates/includes/file-details.html

+                <!-- 1.3.6.1.4.1.57264.1.12 | Source Repository URI-->
+                <!-- 1.3.6.1.4.1.57264.1.13 | Source Repository Digest-->
+                <li>Permalink: <a href="{{ repo_url_with_reference(claims.get("1.3.6.1.4.1.57264.1.12"), claims.get("1.3.6.1.4.1.57264.1.13")) }}">
+                    <code>{{ repository_name(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>


Stylistic nitpick: I've seen @ used more commonly as a convention for referencing SHAs:

Suggested change

<code>{{ repository_name(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>

<code>{{ repository_name(bundle.publisher) }}@{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>

di · 2024-11-22T18:39:52Z

warehouse/templates/includes/file-details.html

+  Permanent source link: <a href="{{ repo_url_with_reference(claims.get('1.3.6.1.4.1.57264.1.12'),claims.get('1.3.6.1.4.1.57264.1.13')) }}">
+    <i class="fa-brands fa-{{ brand }}" aria-hidden="true"></i>
+    {{ repository_name(publ) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}


I think this is going to get confusing when we start to have build & publish attestations, since there's no guarantee that they come from the same hash. I think we should just push deep links like this down into the individual attestations instead.

di · 2024-11-22T18:41:02Z

warehouse/templates/includes/file-details.html

+                <!-- 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing-->
+                <li>Access: <code>{{ claims.get("1.3.6.1.4.1.57264.1.22") }}</code></li>
+              </ul>
+              Build information:


"Build information" for a publish attestation is confusing, we shouldn't really be using the word "build" in the context of a "publish" attestation I think.

DarkaMaul added 4 commits November 21, 2024 09:57

Initial version

6f73bec

Merge branch 'main' into dm/expose-claims

c785cd5

# Conflicts: # warehouse/templates/includes/file-details.html

Refine UI

3f43bfb

Update translations

baa9e72

woodruffw reviewed Nov 22, 2024

View reviewed changes

di reviewed Nov 22, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve file-details with certificate claims #17145

Improve file-details with certificate claims #17145

DarkaMaul commented Nov 21, 2024

woodruffw Nov 22, 2024

woodruffw Nov 22, 2024

woodruffw Nov 22, 2024

di Nov 22, 2024

di Nov 22, 2024

	<code>{{ repository_name(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>
	<code>{{ repository_name(bundle.publisher) }}@{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code>

Improve file-details with certificate claims #17145

Are you sure you want to change the base?

Improve file-details with certificate claims #17145

Conversation

DarkaMaul commented Nov 21, 2024

Expose Certificate Claims in UI

Implementation Details

Dependencies

woodruffw Nov 22, 2024

Choose a reason for hiding this comment

woodruffw Nov 22, 2024

Choose a reason for hiding this comment

woodruffw Nov 22, 2024

Choose a reason for hiding this comment

di Nov 22, 2024

Choose a reason for hiding this comment

di Nov 22, 2024

Choose a reason for hiding this comment