Feat/conda witness

.github/witness/README.md

@@ -0,0 +1,145 @@
+# Witness Integration Testing for Conda
+
+This directory contains test resources for the `conda verify` command integration with in-toto/witness.
+
+## Directory Structure
+
+```
+.github/witness/
+├── README.md                  # This file
+├── generate-test-keys.sh      # Script to generate test keys
+├── policy-template.yaml       # Template for witness policies
+├── example-policy.yaml        # Simple example policy
+└── keys/                      # Test keys directory
+    ├── .gitignore            # Prevents committing private keys
+    ├── policy-key.pub        # Public key for policy verification
+    ├── test-key.pub          # Public key for test attestations
+    ├── build-key.pub         # Public key for build attestations
+    └── functionary-key.pub   # Public key for functionary identity
+```
+
+## GitHub Actions Workflow
+
+The workflow `.github/workflows/test-witness-verify.yml` tests the conda verify integration:
+
+### Workflow Steps
+
+1. **Setup**: Install Python, witness CLI, and conda dependencies
+2. **Key Generation**: Generate test RSA key pairs for signing
+3. **Build with Attestation**: Use witness-run-action to create attestations
+4. **Policy Creation**: Generate and sign a witness policy
+5. **Verification Tests**: Test various conda verify scenarios
+6. **Negative Tests**: Ensure proper error handling
+
+### Trigger Conditions
+
+The workflow runs on:
+- Push to `feat/conda-witness` or `main` branches
+- Pull requests affecting witness-related files
+- Manual trigger via workflow_dispatch
+
+## Local Testing
+
+### Prerequisites
+
+1. Install witness CLI:
+```bash
+# macOS/Linux
+curl -L https://github.com/in-toto/witness/releases/latest/download/witness_$(uname -s)_$(uname -m).tar.gz -o witness.tar.gz
+tar -xzf witness.tar.gz
+sudo mv witness /usr/local/bin/
+```
+
+2. Install Python dependencies:
+```bash
+pip install ruamel.yaml requests pycosat boltons platformdirs frozendict
+```
+
+### Running Tests
+
+1. Generate test keys:
+```bash
+.github/witness/generate-test-keys.sh
+```
+
+2. Run the integration test:
+```bash
+./test-witness-integration.sh
+```
+
+## Key Management
+
+### Test Keys
+
+The `generate-test-keys.sh` script creates several key pairs:
+- **policy-key**: For signing witness policies
+- **test-key**: For test attestations
+- **build-key**: For build process attestations
+- **functionary-key**: For functionary identity
+- **ed25519-key**: Alternative Ed25519 key pair
+
+### Security Notes
+
+- Private keys (*.pem) are automatically gitignored
+- Only public keys (*.pub) should be committed
+- These are TEST keys only - never use in production
+- Generate new keys for actual deployments
+
+## Policy Examples
+
+### Simple Policy (example-policy.yaml)
+
+Basic policy requiring command-run and environment attestations:
+```yaml
+expires: "2030-01-01T00:00:00Z"
+steps:
+  - name: build
+    attestations:
+      - type: https://witness.dev/attestations/command-run/v0.1
+      - type: https://witness.dev/attestations/environment/v0.1
+    functionaries:
+      - type: publickey
+        publickeyid: "test-functionary"
+```
+
+### Advanced Policy (policy-template.yaml)
+
+Comprehensive policy with:
+- Multiple attestation types
+- Rego policies for validation
+- Git and GitHub attestations
+- Multiple build steps
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Witness not found**: Install witness CLI as shown in prerequisites
+2. **Key permission errors**: Ensure private keys have 600 permissions
+3. **Policy validation fails**: Check key IDs match between policy and attestations
+4. **Python import errors**: Install all required conda dependencies
+
+### Debugging
+
+Enable debug output:
+```bash
+export CONDA_DEBUG=1
+witness verify --log-level debug ...
+```
+
+View attestation contents:
+```bash
+cat attestation.json | jq '.'
+```
+
+Verify policy signature:
+```bash
+witness verify-signature --key policy-key.pub policy-signed.yaml
+```
+
+## Resources
+
+- [Witness Documentation](https://witness.dev)
+- [Witness GitHub](https://github.com/in-toto/witness)
+- [in-toto Specification](https://in-toto.io)
+- [Conda Verify Documentation](../../WITNESS_INTEGRATION.md)

.github/witness/example-policy.yaml

@@ -0,0 +1,25 @@
+# Simple Witness Policy for Testing Conda Verify
+expires: "2030-01-01T00:00:00Z"
+steps:
+  - name: build
+    attestations:
+      # Basic attestation types without complex policies
+      - type: https://witness.dev/attestations/command-run/v0.1
+      - type: https://witness.dev/attestations/environment/v0.1
+    functionaries:
+      - type: publickey
+        publickeyid: "test-functionary"
+
+publickeys:
+  test-functionary:
+    keyid: "test-functionary"
+    key: |
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1V6KqKKLKCRMpKsCQR5l
+      h7gRvLdGwLlEuWbUcvLJvXyf1W4GAuB/Or5e7dyr0Z4TQjdLOtp5q/uw/VPDqxqP
+      AqnhQn3p5C4YzVQGPcMjn6Qf8kjkDylYJlH9induRr+7/qhSbHBnbfqNR2PzLhQR
+      Vz2qLq2VfFsGOmxEAwYO8eHPqv5LoqvuLqEXZhMF5XlFqLNbkuDy0tXnH/fWLLHJ
+      fs42HkXcN72LvEd7N1cufZUEdUVJ6EbBT0vE8fPqaGPPPTkMnDvjYJq7OIlifpRw
+      G6BqRvhFVHlPkLXgKLPktDxTlRwqFRCvGDm5l6DjoJZ8KvujTAOEw/fNMqmATlxN
+      dQIDAQAB
+      -----END PUBLIC KEY-----

.github/witness/generate-test-keys.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+# Script to generate test keys for witness policy signing and attestation
+
+set -e
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+KEYS_DIR="${SCRIPT_DIR}/keys"
+
+echo "Generating test keys for witness integration..."
+
+# Create keys directory if it doesn't exist
+mkdir -p "${KEYS_DIR}"
+
+# Function to generate a key pair
+generate_key_pair() {
+    local key_name=$1
+    local key_size=${2:-2048}
+
+    echo "Generating ${key_name} key pair (${key_size} bits)..."
+
+    # Generate private key
+    openssl genrsa -out "${KEYS_DIR}/${key_name}.pem" ${key_size} 2>/dev/null
+
+    # Generate public key
+    openssl rsa -in "${KEYS_DIR}/${key_name}.pem" -pubout -out "${KEYS_DIR}/${key_name}.pub" 2>/dev/null
+
+    # Set appropriate permissions
+    chmod 600 "${KEYS_DIR}/${key_name}.pem"
+    chmod 644 "${KEYS_DIR}/${key_name}.pub"
+
+    echo "  ✓ Generated ${key_name}.pem (private key)"
+    echo "  ✓ Generated ${key_name}.pub (public key)"
+}
+
+# Generate keys for different purposes
+generate_key_pair "policy-key" 2048      # For signing policies
+generate_key_pair "test-key" 2048        # For test attestations
+generate_key_pair "build-key" 2048       # For build attestations
+generate_key_pair "functionary-key" 2048 # For functionary identity
+
+# Generate an Ed25519 key pair (alternative to RSA)
+echo "Generating Ed25519 key pair..."
+openssl genpkey -algorithm ed25519 -out "${KEYS_DIR}/ed25519-key.pem" 2>/dev/null
+openssl pkey -in "${KEYS_DIR}/ed25519-key.pem" -pubout -out "${KEYS_DIR}/ed25519-key.pub" 2>/dev/null
+chmod 600 "${KEYS_DIR}/ed25519-key.pem"
+chmod 644 "${KEYS_DIR}/ed25519-key.pub"
+echo "  ✓ Generated ed25519-key.pem (private key)"
+echo "  ✓ Generated ed25519-key.pub (public key)"
+
+# Create a sample certificate (for x.509 policy signing)
+echo "Generating self-signed certificate..."
+openssl req -new -x509 -days 3650 -key "${KEYS_DIR}/policy-key.pem" \
+    -out "${KEYS_DIR}/policy-cert.pem" \
+    -subj "/C=US/ST=State/L=City/O=TestOrg/CN=conda-witness-test" 2>/dev/null
+chmod 644 "${KEYS_DIR}/policy-cert.pem"
+echo "  ✓ Generated policy-cert.pem (self-signed certificate)"
+
+# Display key information
+echo ""
+echo "Generated keys summary:"
+echo "======================"
+ls -la "${KEYS_DIR}/"
+
+echo ""
+echo "Key fingerprints:"
+for pubkey in "${KEYS_DIR}"/*.pub; do
+    if [ -f "$pubkey" ]; then
+        key_name=$(basename "$pubkey" .pub)
+        fingerprint=$(openssl pkey -pubin -in "$pubkey" -outform DER 2>/dev/null | openssl dgst -sha256 -binary | base64)
+        echo "  ${key_name}: ${fingerprint}"
+    fi
+done
+
+echo ""
+echo "✅ Test keys generated successfully!"
+echo ""
+echo "Usage examples:"
+echo "  Sign a policy:    witness sign --key ${KEYS_DIR}/policy-key.pem policy.yaml"
+echo "  Run with signing: witness run --key ${KEYS_DIR}/test-key.pem --command 'build.sh'"
+echo "  Verify:          conda verify --publickey ${KEYS_DIR}/policy-key.pub --policy signed-policy.yaml"
+
+# Create a .gitignore to prevent accidentally committing private keys
+cat > "${KEYS_DIR}/.gitignore" << EOF
+# Ignore all private keys
+*.pem
+!.gitignore
+
+# Keep public keys and certificates
+!*.pub
+!*-cert.pem
+EOF
+
+echo ""
+echo "⚠️  Note: Private keys (*.pem) are gitignored for security."

.github/witness/keys/.gitignore

@@ -0,0 +1,7 @@
+# Ignore all private keys
+*.pem
+!.gitignore
+
+# Keep public keys and certificates
+!*.pub
+!*-cert.pem

.github/witness/keys/build-key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfeo17admk4H3LgRMpxy
+CAfbZrfxHvYHKNsm1ZPBNyWvVya1biMvwA9FURjoYtvzY0tf+xWCOob0J7k6FkuM
+beziCq4m6miByZEj7cv40lzJ7OZgDBbnV1I5mSw7Ol8VvF1FspEvfNR+UQw/yy7i
+4IBSg0XZLhFofShQFFe1QrZ7I6poQ0iNQBgFk5BPzMfUfiZo6GuS5kaclczuuqRu
+EVhuywYnnByPjwapXVx4cOIABc7JPkHbm7/tQvqRzdWxhQoJZWQfROacvE1aYfi/
+N6DYtRdQEirk3siD/AnFDCR/zTwmeAzaU7E03h+ioM+RW31nf3Le6yoe3L7Xq31U
+5wIDAQAB
+-----END PUBLIC KEY-----

.github/witness/keys/ed25519-key.pub

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAPQfrWB5gNPpEka+KOuHycr+nSTFm3BoD+NoeFla6DNc=
+-----END PUBLIC KEY-----

.github/witness/keys/functionary-key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw5g6/X67iEP66ZVm7Txc
+QBij4blkgE6KWncH6VVoVrRjn4eg1oVu982TgT9mFhuRX1tdCFhmhXPrJnRYX8jL
+X+XjzN/L/NQDY+wgpn6Cw/0e71Cr199WEkorVISbpKw9vLPlwWllsScOinfvOIHU
+cGwXld7yxMYnMEb9KUzFckL/uJT4HF537Fqj3Nr2bHgSrYKTwfSodvS1QkbSB9ng
+4qZctc5NmTypLtU/VkxtC13zPwfHfskXiG3LxdY3qrkJj8vWMOAMkXndJMHC/clI
+sgtUkRjfrhgQAfcgqZMWRHdhYqDjWmPFTdu9PIBi8g1+5NK2Fib7iTVCkM2KDoIF
+lwIDAQAB
+-----END PUBLIC KEY-----

.github/witness/keys/policy-cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIUftyyQuWpP84BRRVrbdmbcj0PJWkwDQYJKoZIhvcNAQEL
+BQAwWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJjb25kYS13aXRuZXNzLXRlc3Qw
+HhcNMjUwOTI3MDM1NjEzWhcNMzUwOTI1MDM1NjEzWjBbMQswCQYDVQQGEwJVUzEO
+MAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxEDAOBgNVBAoMB1Rlc3RPcmcx
+GzAZBgNVBAMMEmNvbmRhLXdpdG5lc3MtdGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALjyGod0QhM2lrZYLhAlHDdW9yiQOepGAioLavbPzU6pRYKM
+tR7iirKWce/X6/yZ/U2HZbmPQDCenyEQfCDnpTSNEYk3LBZfMvxvvc9LIzCjtOT7
+JQSSYF2el7nv7NzRgMolEkEc7pnpzfXng8Fmnp26hHXi7HBsBlztPCDTnatK5B3m
+q/bagxO37CGyqVBPcG8i8PcOrkjrWJDr+rzl2t9k4C9jv1xIyTU0oeJDS5fQTOHz
+eU5EJ1JeYHaKrvHaa9Dd9mVeO5q8kPs3xVoGshY3Wz/luAqBGuGnW/4hSeO3nXef
+AvyNyxwIYC8kOqLy+w18Vsjjh/LHx6EbI81okfECAwEAAaNTMFEwHQYDVR0OBBYE
+FPV7uRmVgkmXBjBSQvgnelwtDWzPMB8GA1UdIwQYMBaAFPV7uRmVgkmXBjBSQvgn
+elwtDWzPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAJoZEgY
+Pz9b0eexs0apXXaK8w7xu4/dDx/fpe7Isqr4X6+9lyo0aHABN0AwxWbH3iXM2LCr
+3UqATjJa9ZErjj+9nT4Ra7kpGbRWc9eAKRyz1ABe/p92SfReY7/MuXSQ8HfKdgnt
+UI8Wiq2dOhETBvNHQBmNIyJWc85+G5RWQmdAZiFgEA9WmAy2FmlaBMTO2XXxZo3i
+Hf+EVs9k2I0uS+IEugaY/dM38fzJaOKnlc8+EszaTvs/2knL6fgscEmHalH7Flqn
+uoQEh+m5OrJi2CAmKbOgYAWBwZpmaoMW+ggMWNhna7SKPbBNWFOzzWIhDffNsahN
+o7d+P+WXl4Wv5Ng=
+-----END CERTIFICATE-----

.github/witness/keys/policy-key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPIah3RCEzaWtlguECUc
+N1b3KJA56kYCKgtq9s/NTqlFgoy1HuKKspZx79fr/Jn9TYdluY9AMJ6fIRB8IOel
+NI0RiTcsFl8y/G+9z0sjMKO05PslBJJgXZ6Xue/s3NGAyiUSQRzumenN9eeDwWae
+nbqEdeLscGwGXO08INOdq0rkHear9tqDE7fsIbKpUE9wbyLw9w6uSOtYkOv6vOXa
+32TgL2O/XEjJNTSh4kNLl9BM4fN5TkQnUl5gdoqu8dpr0N32ZV47mryQ+zfFWgay
+FjdbP+W4CoEa4adb/iFJ47edd58C/I3LHAhgLyQ6ovL7DXxWyOOH8sfHoRsjzWiR
+8QIDAQAB
+-----END PUBLIC KEY-----

.github/witness/keys/test-key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEoIhUch2p/S5P+NsehP
++2aJfQwu1fMXuOjBqJGjnQ2wQR6w6VWVMpUpmOCsWxChvnPbmCbKYCO2JwpNO5C6
+TKcxXJAwPzn2KoTP4tPQljQ76s8t0OKrsH2dQR98t5A4OYM2Iwb4kdbptRRWwEVf
+Mz702FlpQG3zWIttvVjFHaE+G6biR8KwCMwPkvoRZXOn28oXw/DTOX00Fb4aTStU
+kcLZmC34OlJlR/inCq9VQTqjeMjtDgztVxKh/JcjAO3pETUGIiUMoXqT1lFi4Azf
+j0UUAHKY+8JVUqj62JmePFEWcu/9aS4kNwGr2GLp6b5xcYvVxoI3bKmbkxhKGF4o
+jQIDAQAB
+-----END PUBLIC KEY-----