-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support directory hashes #730
Comments
jsonnet-bundler has a small utility method to generate the hash of a directory which might be useful here as well: https://github.com/jsonnet-bundler/jsonnet-bundler/blob/master/pkg/packages.go#L351 |
this code is not safe from a cryptographic hash point of view, e.g. you can rename files to change their meaning. The hash we have in the model repo also handled parallel hashing using a tree. See comments in sigstore/model-transparency#49 |
An even greater problem with the hash is that it lacks delimiters between files. So the two following directories will produce the same hashes: will produce the same hash has: |
ok I did not realize that the directory hash should be also taking that into account. Maybe tree hashes as calculated by git would be useful. Here is some test that I performed by creating a file with the same content but different filename in different directories and how the hash would be calculated by git. If the filename is equal, the hash is the same, if the filename differs, also the hash differs.
|
This could work but forces existence of a |
Sorry for the misunderstanding, I did not intend to suggest to use git itself, but rather its mechanism to generate tree hashes. |
Oh, fair point. Thanks for clarifications. |
Just adding to the conversation: merkle trees seem like they could be a good way to hash directories, and someone has tried this in go. re: your comments, I think we could add an aptional CLI switch to slsa-verifier like |
Thank you! We're now also experimenting with a manifest file instead of a hash of everything, but probably this won't work for SLSA (sigstore/model-transparency#111). Let's continue experimenting |
SLSA will replace the manifest format by a provenance format, the rest probably can remain the same |
As part of the effort to bring SLSA to ML https://github.com/google/model-transparency, we need to be able to sign directories. This requires the definition of a new "hash", i.e. how to serialize a directory. We have a PoC for this in the repo linked above, and need to implement it in slsa-verifier
The text was updated successfully, but these errors were encountered: