Skip to content

feat(user-verification): Introduce user verification on attestation init #2652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
javirln merged 8 commits into from
Jan 12, 2026
Merged

feat(user-verification): Introduce user verification on attestation init #2652

javirln merged 8 commits into from
Jan 12, 2026

Conversation

@javirln
Copy link
Member

@javirln javirln commented Jan 9, 2026
edited
Loading

This PR adds platform-based commit signature verification during attestation initialization. When creating an attestation, the system now queries GitHub or GitLab APIs to verify if the commit was signed and validated by the platform.

Extended the attestation initialization process to include commit signature verification status. The verification captures whether a commit's signature was validated by GitHub or GitLab, including details about the signature algorithm, key ID, and verification status.

Added new VerifyCommitSignature method to the SupportedRunner interface. Implemented verification for:

  • GitHub Actions: Uses GitHub REST API with GITHUB_TOKEN
  • GitLab CI: Uses GitLab API /signature endpoint with CI_JOB_TOKEN
  • Dagger Pipeline: Detects underlying CI platform and delegates appropriately

Protobuf Schema

Extended Commit message with optional platform_verification field containing:

  • Verification status (verified, unverified, unavailable, not applicable)
  • Reason for the verification result
  • Platform name (github, gitlab)
  • Key ID and signature algorithm

Verification failures never block attestation creation. All errors result in recording the unavailable or not applicable status, allowing the attestation process to continue.

Example

Example from a GitHub Action. This is part of the crafting state:

"runnerType": "GITHUB_ACTION",
    "head": {
      "hash": "6a6f5761863d107f39df09b7cdc34a464c44a0f7",
      "authorEmail": "REDACTED",
      "authorName": "Javier Rodríguez",
      "message": "Update test-commit-verification.yml",
      "date": "2026-01-09T12:25:23Z",
      "remotes": [
        {
          "name": "origin",
          "url": "https://github.com/javirln/goreleaser"
        }
      ],
      "signature": "-----BEGIN PGP SIGNATURE-----SIGNATURE-----END PGP SIGNATURE-----\n\n",
      "platformVerification": {
        "attempted": true,
        "status": "VERIFICATION_STATUS_VERIFIED",
        "reason": "valid",
        "platform": "github",
        "signatureAlgorithm": "PGP"
      }
    },
    "signingOptions": {
      "timestampAuthorityUrl": "http://timestamp.digicert.com/",
      "signingCa": "fileCA"
    },

Example of attestation:

"annotations": {
  "author.email": "REDACTED",
  "author.name": "Javier Rodríguez",
  "author.verified": "VERIFICATION_STATUS_VERIFIED",
  "date": "2026-01-09T12:30:26Z",
  "message": "Update test-commit-verification.yml",
  "remotes": [
    {
      "name": "origin",
      "url": "https://github.com/javirln/goreleaser"
    }
  ],
  "signature": "-----BEGIN PGP SIGNATURE-----SIGNATURE-----END PGP SIGNATURE-----\n\n",
  "signature.algorithm": "PGP"
}

@javirln
feat(user-verification): Introduce user verification on attestation init
e582571 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln self-assigned this Jan 9, 2026
@javirln javirln requested review from jiparis and migmartri January 9, 2026 11:51
@javirln
fix linter
ab58ce0 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln marked this pull request as draft January 9, 2026 12:00
@javirln javirln marked this pull request as ready for review January 9, 2026 12:29
javirln added 2 commits January 9, 2026 13:36
@javirln
include author verification on attestation
ff30ce8 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
add signature algorithm annotation
1f60327 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln marked this pull request as draft January 12, 2026 08:20
@javirln
fix annotation rendering
6df5ad2 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln marked this pull request as ready for review January 12, 2026 08:28
@javirln
fix typo on annotation
8ea4d66 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
jiparis
jiparis approved these changes Jan 12, 2026
View reviewed changes
Copy link
Member

@jiparis jiparis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

migmartri
migmartri approved these changes Jan 12, 2026
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @javirln, see my comment about updating the annotations

@migmartri
Copy link
Member

migmartri commented Jan 12, 2026

Btw, this feature is awesome, lert's make sure we update our docs and changelog to reflect it

@javirln
tackle feedback
6b3b6e3 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
ignore linting problem properly
054d8f3 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln merged commit 194af1a into chainloop-dev:main Jan 12, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis jiparis approved these changes

Assignees

@javirln javirln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@javirln @migmartri @jiparis