BinAuthz/Kritis incompatibility: base64-encoded attestation
ooq opened this issue · 5 comments
Expected Behavior
The same attestation should work for both Kritis & Binary Authorization.
Actual Behavior
Kritis assumes signature in attestation to be base64 encoded. (and Kritis also creates attestation with base64 encoded signature)
BinAuthz assumes not.
Steps to Reproduce the Problem
Environment, commands
Additional info
Add any other context about the problem here (e.g. screenshots, links)
Could you please clarify if there's anything that changed in BinAuthz between #427 and this? The original states that this would be compatible with BinAuthz, which is why I'm confused.
Hi @aysylu, nothing is changed. Confirmed with @nenaddedic that #427 was a mistake. The REST curl API does require base64 encoding (https://cloud.google.com/binary-authorization/docs/making-attestations#rest_1), but that was just a convention for carrying byte-array type field in json file. GCP client libraries handle this transparently.
Added info for proto3 bytes mapping to JSON [1]:
JSON value will be the data encoded as a string using standard base64 encoding with paddings. Either standard or URL-safe base64 encoding with/without paddings are accepted.
[1] https://developers.google.com/protocol-buffers/docs/proto3?hl=en#json