Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to verify signed bundle against trusted root #186

Merged
merged 2 commits into from
May 24, 2024
Merged

Add the ability to verify signed bundle against trusted root #186

merged 2 commits into from
May 24, 2024

Conversation

steiza
Copy link
Member

@steiza steiza commented May 22, 2024

Summary

As we work towards releasing signing support (#136), we want the option to verify that the bundle we signed is valid before returning it to the user.

At first I thought about requiring a trusted root, but I came up with at least two examples where that wasn't feasible:

  1. Staging doesn't include a timestamp authority that is reachable from the general internet (arguably this could be fixed)
  2. Conformance tests that use detached materials would require a custom verification policy, at which point you might as well use verify directly

Release Note

NONE - we aren't ready to release signing yet

Documentation

N/A

@steiza
Add the ability to verify signed bundle against trusted root
e536c63 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza requested a review from a team May 22, 2024 18:50
@haydentherapper
Copy link
Contributor

haydentherapper commented May 22, 2024
edited
Loading

Staging doesn't include a timestamp authority that is reachable from the general internet (arguably this could be fixed)

I didn't catch that we were using the sigstore/timestamp-authority client in the signer. This limitation of this client is that the API of the TSA must match the one defined in Sigstore's implementation which is not standardized. The only standardization is what the API must accept and produce. This is why in Cosign, we implemented a client where you must pass the API path rather than just the root URL, which means that we can support any TSA. We can upstream the Cosign TSA client to sigstore/timestamp-authority as well.

If we do this, then you can use https://freetsa.org/index_en.php for staging.

Edit: Concretely, all that needs to change is that when you specify BaseURL when initializing the TSA client, you would just provide the entire API, e.g. https://timestamp.githubapp.com/api/v1/timestamp, which is a reasonable tradeoff to support all TSAs imo.

Edit edit: I also realized that doesn't exactly answer your question, so in addition to this change, we'd need to append the custom timestamp authority to the trust material.

Edit edit edit: I keep finding more things :) In the signing client config, we also define a TSA URL as its whole path - https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto#L176-L178. I would suggest we make this change (in another PR) to align here and with the other clients.

haydentherapper
haydentherapper reviewed May 22, 2024
View reviewed changes
examples/signing/staging_root.json Outdated Show resolved Hide resolved
pkg/sign/signer.go Outdated Show resolved Hide resolved
@steiza
Add staging TUF root to library
9519b7d 
Also don't require signing with Fulcio that supports SCT

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza mentioned this pull request May 23, 2024
Merged
kommendorkapten
kommendorkapten approved these changes May 24, 2024
View reviewed changes
Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@steiza steiza merged commit 400a1eb into main May 24, 2024
11 checks passed
@steiza steiza deleted the sign-verify branch May 24, 2024 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@steiza @haydentherapper @kommendorkapten