feat: Sigil attestation rules (wasm_attest, wasm_verify_chain, wasm_show_chain)#445
Merged
feat: Sigil attestation rules (wasm_attest, wasm_verify_chain, wasm_show_chain)#445
Conversation
…how_chain)
Exposes wsc 0.7.0's transformation-attestation surface as Bazel rules so the
full PulseEngine pipeline can build and verify SLSA-style provenance chains:
wasm_attest — record a transformation attestation for an external
tool (meld_fuse and wasm_optimize already self-attest)
wasm_verify_chain — policy-enforcing ship-gate, optionally reading a
TOML policy or legacy trusted-tools JSON
wasm_show_chain — emit the attestation chain as JSON or text for CI
diagnostics
The existing wasmsign2_wrapper Go tool is extended with two internal
coordination flags so the new rules stay Bazel-native:
--bazel-stage-source=PATH copy PATH to --output-file before wsc runs
(wsc attest rewrites --output-file in place)
--bazel-capture-stdout=PATH capture wsc's stdout into a Bazel output
(wsc show-chain writes to stdout)
This lets the rules call ctx.actions.run directly rather than resorting to
run_shell for staging or redirection.
examples/wasm_signing gains a wasm_show_chain demo target that confirms the
wiring end-to-end (produces "No transformation attestations found in module"
since the input is only signed, not transformed). wasm_verify_chain is not
demoed here because it requires at least one transformation attestation in
the chain — that's a natural fit for an end-to-end meld_fuse example later.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wasm_attest— records a transformation attestation for an external tool (meld_fuse and wasm_optimize already self-attest via theirattestationattr).wasm_verify_chain— policy-enforcing ship-gate, optionally consuming a TOML policy or a legacy trusted-tools JSON.wasm_show_chain— emits the attestation chain as JSON or text for CI diagnostics.wasmsign2_wrapperGo tool with two internal coordination flags (--bazel-stage-source,--bazel-capture-stdout) so the new rules usectx.actions.runrather thanrun_shell, staying aligned with the "Bazel Way First" rule.Context
Follow-up to #442 (pipeline rules) and #444 (meld native toolchain). wsc 0.7.0 ships
attest,verify-chain, andshow-chainalongside the signing commands we already wrap — this PR surfaces those commands as proper Bazel rules.Verified end-to-end locally:
bazel build //examples/wasm_signing:signed_component_chain_jsonproduces a JSON artifact with the expected "No transformation attestations found in module" output (the signed component has no transformations yet — meaningful chains appear once meld_fuse/wasm_optimize run).Test plan
bazel build //tools/wasmsign2_wrapper //wasm:defs— wrapper rebuilds with new flagsbazel build --nobuild //wasm/... //wasm/private/... //tools/wasmsign2_wrapper/...— 21 targets analyzebazel build //examples/wasm_signing:signed_component_chain_json— real show-chain end-to-end against a signed componentNotes
wasm_verify_chainis not demoed inexamples/wasm_signingbecause it requires at least one transformation attestation in the chain (its "no chain at all" error is pre-policy andreport_onlydoes not rescue it). That demo belongs with a meld_fuse / wasm_optimize pipeline, which will come with the integration example.🤖 Generated with Claude Code