[DRAFT] Rekor v1 and v2 support via signing-config by ramonpetgrave64 · Pull Request #1387 · sigstore/sigstore-python

ramonpetgrave64 · 2025-05-16T05:45:15Z

Client support for Rekor V2: sigstore-python #289

Summary

Adds Rekor V2 support, while being compatible with Rekor v1, swicthable with the signing-config, when signing and verify an artifact.

Lots of files in this PR:

New python protos, generated from rekor-tiles, copied into sigstore-python. We may not need all these files. And thy maybe belong in trailofbits/rekor-types, or even sigstore/protobuf-specs.
- Add client generation for python rekor-tiles#303
  - and pending Use 3.10 style for typing imports rekor-tiles#305
- related: add codegen for rekorv2 sigstore-rekor-types#168
trust configs
- with rekor.sigstage.dev rekor v1: trust_config.json
- with a local rekorv2: trust_config_v2.json
  - with a new release of rekor-tiles, v2 should be also deployed to rekor.sigstage.dev for testing
changes from pedning PRs

Testing

Unit tests pass ~~locally with python 3.12.9. CI tests fails on python 3.9~~. And linters are not yet expected to pass.

Signing and verifying both work.

Invoke with

sigstore --trust-config ./trust_config.json sign README.md --overwrite -v

sigstore --trust-config ./trust_config.json verify identity --bundle README.md.sigstore.json --cert-oidc-issuer https://accounts.google.com --cert-identity <your cert identity> README.md --verbose

sigstore --trust-config ./trust_config_v2.json sign README.md --overwrite -v

sigstore --trust-config ./trust_config_v2.json verify identity --bundle README.md.sigstore.json --cert-oidc-issuer https://accounts.google.com --cert-identity <your cert identity> README.md --verbose

TODO

Lots of items, so the last few items regarding testing will probably come in a separate PR.

Release Note

Documentation

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

This reverts commit 79a6d31. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

This reverts commit e4470a9. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

jku · 2025-05-16T09:00:16Z

I mentioned this elsewhere but for clarity: I would prefer the Rekorv2 changes to not touch the v1 RekorClient code if possible and instead be a separate implementation.

the rekorclient(s) could also take care of building the correct proposed entry (mentioned this in a code comment)
currently it looks like the rekor v2 client supports all the methods in RekorClient... but I don't think it does and I don't think it needs to

ramonpetgrave64 · 2025-05-16T15:42:39Z

@jku Yes, like we discussed offline, it perhaps would be nicer if the V2 changes would not edit the current RekorClient class. I'll have to see how viable the auto-generated v2 client RekorBase or RekorStub is.

https://github.com/sigstore/sigstore-python/pull/1387/files#diff-d7b419ac40c89309564411de463dfcde20b004790450a98f3077da9e1f60c459R267

If not, I also mentioned that subclassing could make more sense. Abstract the common methods of V1 and V2 into another base class. If that, I don't think removing V1 support in the future after the estimated 18 months would be difficult.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

jku · 2025-06-09T09:27:35Z

closing as housekeeping: I believe #1414 is closer to current SOTA

ramonpetgrave64 and others added 30 commits April 25, 2025 18:26

set endpoint to v2

d76d72e

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

test with local rekorv2

1c9885c

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into rekor-v2

c0a278c

seems to work, but no kind-version

e602ee9

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

no trailing slash for post to /entries

79a6d31

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

signing worksa

2d658ba

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

signing, but no verify

f2e6479

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

cache the kindversion

e4470a9

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

parse kind_version earlier

f69efca

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Revert "no trailing slash for post to /entries"

a6025a5

This reverts commit 79a6d31. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

lint

b06b4b5

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

add PR link

7777935

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

Merge branch 'main' into kindversion

0172eed

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

Merge branch 'main' into rekor-v2

088a452

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

semi-working verification

ac4f29d

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into kindversion

313da43

Merge branch 'main' into rekor-v2

0b765a0

add support for ed25519 keys

8e4c394

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into ed25519

d03cb47

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

add changelog self link

ee73bb4

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

lint

dad8ff6

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

use latest tsa release, not latest tag

95d6e11

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

add changelog for tsa test fix

da72b8a

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into rekor-v2

ec37a9e

use all verified timestamps

146f85e

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

additional test

830ea64

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

cleanup

17a9716

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

pr backlink

2e93051

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

attempt at root hash hex parse for v1 and v2

f1058e8

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Revert "cache the kindversion"

9fb64c3

This reverts commit e4470a9. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

ramonpetgrave64 added 14 commits May 16, 2025 16:48

independent RekorV2Client

ace0dfb

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

cleanup

7ad3185

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into rekor-v2

b4f148a

use HashOutput from protobuf specs

578758f

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

back to imported HasHOutput

9a066e8

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

refactor the building of the hashedrekord preposed entries

a0e6616

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

specific kindversions when verifying

895ea51

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

import from typing_extensions import TypeAlias

2c0508c

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

smaller diff

686ccf8

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

no google bufs

b9a8bae

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

unused var

e272425

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

list not List

2d50e48

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

add cli test for v2, using local rekorv2

cdd6de2

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

xfail and comment

f8a198e

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

jku mentioned this pull request May 19, 2025

trust: Provide a better way to select service versions #1396

Closed

ramonpetgrave64 added 3 commits May 19, 2025 19:13

test local env

f057e81

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

add workflow

1f96143

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

sign and verify dsse

95cff0a

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

ramonpetgrave64 mentioned this pull request May 20, 2025

[DRAFT] Add RekorV2Client #1400

Closed

6 tasks

ramonpetgrave64 added 6 commits May 22, 2025 21:41

alpha ytsu_config

e759b8a

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

with v1 key

ac517e8

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Merge branch 'main' into rekor-v2

144ac9b

no V002 workaround

435ddb0

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

sign but cant parse entry

cd52b93

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

worarkound entry body parsing

6258926

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

ramonpetgrave64 mentioned this pull request May 23, 2025

sign and verify with Rekorv2 #1414

Closed

4 tasks

jku closed this Jun 9, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DRAFT] Rekor v1 and v2 support via signing-config#1387

[DRAFT] Rekor v1 and v2 support via signing-config#1387
ramonpetgrave64 wants to merge 103 commits into
sigstore:mainfrom
ramonpetgrave64:rekor-v2

ramonpetgrave64 commented May 16, 2025 •

edited

Loading

Uh oh!

jku commented May 16, 2025

Uh oh!

ramonpetgrave64 commented May 16, 2025 •

edited

Loading

Uh oh!

jku commented Jun 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

ramonpetgrave64 commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Testing

TODO

Release Note

Documentation

Uh oh!

jku commented May 16, 2025

Uh oh!

ramonpetgrave64 commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jku commented Jun 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

ramonpetgrave64 commented May 16, 2025 •

edited

Loading

ramonpetgrave64 commented May 16, 2025 •

edited

Loading