Skip to content

Specify sha256 in TSA request#1373

Merged
jku merged 8 commits into
sigstore:mainfrom
ramonpetgrave64:tsa-verify-sha
May 9, 2025
Merged

Specify sha256 in TSA request#1373
jku merged 8 commits into
sigstore:mainfrom
ramonpetgrave64:tsa-verify-sha

Conversation

@ramonpetgrave64

@ramonpetgrave64 ramonpetgrave64 commented May 8, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Client support for Rekor V2: sigstore-python

Summary

Resolves #1372

Makes the TSA request specify sha256 for the message digest, since verification currently assumes sha256. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

Release Note

  • TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.

Documentation

@ramonpetgrave64
request timestamp with sha256
d3a4bf2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
changelog
0bc24c2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into tsa-verify-sha
89a323c 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
backling
2fac58e 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
correct backlink
3b10d01 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 changed the title Tsa verify sha Specify sha256 in TSA request May 8, 2025
ramonpetgrave64 and others added 2 commits May 8, 2025 19:37
@ramonpetgrave64
Merge branch 'main' into tsa-verify-sha
69a67d5
@ramonpetgrave64
lint
73c3cdf 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64

ramonpetgrave64 commented May 8, 2025

Copy link
Copy Markdown
Contributor Author

@DarkaMaul

@jku

jku commented May 9, 2025

Copy link
Copy Markdown
Member

Makes the TSA request specify sha256 for the message digest, since verification currently assumes sha256.

I mentioned this in the issue but for completeness will repeat: I think we should fix verification directly since we can't just support timestamps made by sigstore-python so can't enforce which algorithms we will see. trailofbits/rfc3161-client#144 may be something usable?

@ramonpetgrave64

ramonpetgrave64 commented May 9, 2025

Copy link
Copy Markdown
Contributor Author

@jku I agree. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

@jku

jku commented May 9, 2025

Copy link
Copy Markdown
Member

@jku I agree. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

Oh yeah that is a better reason for this PR than "verification currently assumes sha256". SGTM.

@jku

jku commented May 9, 2025

Copy link
Copy Markdown
Member

/gcbrun

jku
jku approved these changes May 9, 2025
View reviewed changes

@jku jku left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, we should be choosing the algorithm explicitly when creating a timestamp. SHA-256 sounds fine to me and we can always bump that up (preferably after verification is ok with it).

I'll file a new issue for the verification hash being hard coded so we don't forget

@jku jku merged commit 572ccac into sigstore:main May 9, 2025
23 checks passed
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 7, 2025
Closed
35 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TSA request message digest defaults to sha256

2 participants

@ramonpetgrave64 @jku