| Name | hmk1 JSON |
| Version |
0.1.5
JSON |
| download |
| home_page | None |
| Summary | A package that is quite pointless |
| upload_time | 2024-12-01 22:49:19 |
| maintainer | John Smith |
| docs_url | None |
| author | some dude |
| requires_python | <4.0,>=3.10 |
| license | MIT |
| keywords |
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# This is homework1 of CS-GY/UY 3943/9223 SUpply Chain Secrity
## set-up:
This entire project is based on the sigstore [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) tools
on linux:
```bash
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
```
If you have ``go`` or ``homebrew`` it would be easier.
## Signing an artifact:
1. Sign an artifact using cosign tool with your identity using:
```bash
cosign sign-blob <file> --bundle cosign.bundle
```
You can also refer to the official [cosign tutorial](https://docs.sigstore.dev/cosign/signing/signing_with_blobs/)
## After signing an artifact:
commands:
```bash
python3 main.py -c
python3 main.py --inclusion <artifact>
# (the last argument can be changed to anything you signed)
python3 main.py --consistency
```
## Important notes:
- This repo runs a [Trufflehog](https://github.com/trufflesecurity/trufflehog)
command to scan each latest commit attempt to prevent secret leak,
however, the local repo on linux environment resulted in likely non-functional
pre-commit config. The Docker image of Trufflehog does not support laetst one-
commit scan. For Mac environment, modify ``pre-commit-config.yaml``, line 7, to:
```yaml
entry: bash -c 'trufflehog git file://. --since-commit HEAD --no-verification --fail --max-depth=1'
```
## notes
The point of this homework is the know-how of cosign tools, i particular the rekor APIs
- the "security" is implemented as a merkle tree, and in this homework I compare two nodes in the tree:
the latest checkpoint provided by Rekor that is just simply literally the latest checkpoint
and the checkpoint of my own signed artifact which is retrievable via
api call using the log index generated when I signed the artifact.
- somehow against my simple understanding of the merkle tree implementation, the "treeSize" filed goes backward:
If you check the log index 1 on Rekor, the tree size is huge (4163431) while by the point I did this homework
and signed a dummy, the size is only 1110000+ ~ish, I wonder what happens when number
reaches 0.
- prof explained in class that this implementation is lighter-weight than actual blockchain but I don't quite see why or how.
## reference materials:
- [Template Code from class TA](https://github.com/mayank-ramnani/python-rekor-monitor-template)
- [Rekor API Spec](https://www.sigstore.dev/swagger/#/tlog/getLogInfo)
Raw data
{
"_id": null,
"home_page": null,
"name": "hmk1",
"maintainer": "John Smith",
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": "johnsmith@example.org",
"keywords": null,
"author": "some dude",
"author_email": "jr5887@nyu.edu",
"download_url": "https://files.pythonhosted.org/packages/9a/da/811f110c2dbfce0e21e7724fcb41944d6d5e967e044e985d95ae7cc28d65/hmk1-0.1.5.tar.gz",
"platform": null,
"description": "# This is homework1 of CS-GY/UY 3943/9223 SUpply Chain Secrity\n\n## set-up:\nThis entire project is based on the sigstore [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) tools\non linux:\n```bash\ncurl -O -L \"https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64\"\nsudo mv cosign-linux-amd64 /usr/local/bin/cosign\nsudo chmod +x /usr/local/bin/cosign\n```\nIf you have ``go`` or ``homebrew`` it would be easier.\n## Signing an artifact:\n1. Sign an artifact using cosign tool with your identity using:\n```bash\n cosign sign-blob <file> --bundle cosign.bundle\n ```\nYou can also refer to the official [cosign tutorial](https://docs.sigstore.dev/cosign/signing/signing_with_blobs/)\n\n## After signing an artifact:\ncommands:\n```bash\npython3 main.py -c\npython3 main.py --inclusion <artifact> \n # (the last argument can be changed to anything you signed)\npython3 main.py --consistency\n```\n## Important notes:\n\n- This repo runs a [Trufflehog](https://github.com/trufflesecurity/trufflehog) \n command to scan each latest commit attempt to prevent secret leak,\n however, the local repo on linux environment resulted in likely non-functional\n pre-commit config. The Docker image of Trufflehog does not support laetst one-\n commit scan. For Mac environment, modify ``pre-commit-config.yaml``, line 7, to:\n ```yaml\n entry: bash -c 'trufflehog git file://. --since-commit HEAD --no-verification --fail --max-depth=1'\n ```\n\n## notes\nThe point of this homework is the know-how of cosign tools, i particular the rekor APIs\n- the \"security\" is implemented as a merkle tree, and in this homework I compare two nodes in the tree:\nthe latest checkpoint provided by Rekor that is just simply literally the latest checkpoint\nand the checkpoint of my own signed artifact which is retrievable via\napi call using the log index generated when I signed the artifact.\n\n- somehow against my simple understanding of the merkle tree implementation, the \"treeSize\" filed goes backward:\nIf you check the log index 1 on Rekor, the tree size is huge (4163431) while by the point I did this homework\nand signed a dummy, the size is only 1110000+ ~ish, I wonder what happens when number\nreaches 0.\n\n- prof explained in class that this implementation is lighter-weight than actual blockchain but I don't quite see why or how.\n\n\n## reference materials:\n- [Template Code from class TA](https://github.com/mayank-ramnani/python-rekor-monitor-template)\n- [Rekor API Spec](https://www.sigstore.dev/swagger/#/tlog/getLogInfo)",
"bugtrack_url": null,
"license": "MIT",
"summary": "A package that is quite pointless",
"version": "0.1.5",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a66ab96e40bf33245c1e64f7f4665894d7fdbd48086dbd49c3a1600373774ea8",
"md5": "74ef0bf6be1113baf999f3fbb5852895",
"sha256": "f4ac3768aaf79bb0cbbb0b2e7f9f25c9b345e12c16a293c51210fb91fcaa1b37"
},
"downloads": -1,
"filename": "hmk1-0.1.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "74ef0bf6be1113baf999f3fbb5852895",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 9680,
"upload_time": "2024-12-01T22:49:17",
"upload_time_iso_8601": "2024-12-01T22:49:17.497606Z",
"url": "https://files.pythonhosted.org/packages/a6/6a/b96e40bf33245c1e64f7f4665894d7fdbd48086dbd49c3a1600373774ea8/hmk1-0.1.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "9ada811f110c2dbfce0e21e7724fcb41944d6d5e967e044e985d95ae7cc28d65",
"md5": "9911910a3d1b20668fcd8192b278f7a2",
"sha256": "818a9244515605ba7068ad8fdacbb2a04319470ecb1188601a46134b9504ba20"
},
"downloads": -1,
"filename": "hmk1-0.1.5.tar.gz",
"has_sig": false,
"md5_digest": "9911910a3d1b20668fcd8192b278f7a2",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 10118,
"upload_time": "2024-12-01T22:49:19",
"upload_time_iso_8601": "2024-12-01T22:49:19.146488Z",
"url": "https://files.pythonhosted.org/packages/9a/da/811f110c2dbfce0e21e7724fcb41944d6d5e967e044e985d95ae7cc28d65/hmk1-0.1.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-01 22:49:19",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "hmk1"
}
