Skip to content

sign and verify with Rekorv2#1414

Closed
ramonpetgrave64 wants to merge 24 commits into
sigstore:mainfrom
ramonpetgrave64:rekov2-client-use
Closed

sign and verify with Rekorv2#1414
ramonpetgrave64 wants to merge 24 commits into
sigstore:mainfrom
ramonpetgrave64:rekov2-client-use

Conversation

@ramonpetgrave64

@ramonpetgrave64 ramonpetgrave64 commented May 23, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Client support for Rekor V2: sigstore-python #289

Summary

This PR, in favor of #1387

Pending #1400

Enables signing and verifying with Rekorv2 via a trust-config.

Testing

Unit tests should pass, but are currently using somewhat hacky method of paramaterizing fixtures to use either staging or the embedded tust_config.

TODO:

  • a less hacky fixture setup
  • tests for cli/attest/py
  • documentation
  • tests for cli/verify, with an embedded bundle

Release Note

Documentation

@ramonpetgrave64
add RekorV2Client and types
376361a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add rekorv2 client + tests
2983b4a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add lots of docstrings
3f94e7a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
xfail on local and staging
d043256 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add cahngelog
1a55117 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into rekov2-client
65ecf4e
@ramonpetgrave64
remove staging and production methods
3730364 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add @pytest.mark.ambient_oidc
1e78607 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
send the cert, not only the public key
53c9113 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
abstract the signer fixture
79f967c 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
reorganize fixtures
832f87d 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add tiemout
e6a6fe3 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into rekov2-client
c546aea
@ramonpetgrave64
no V002 workaround
5baeb8f 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
merge updates
4b2a03a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
no V002 workaround
73eaf0e 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
regorganize tests
34043a2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
use new methods for building requests
a733d5a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
changelog
90d8244 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
cleanup comment
b49d8a7 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
future import
80422f2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
sign and verify v2
48de313 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
tsa test
57181bc 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add test_sign
22530d1 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@jku jku mentioned this pull request Jun 9, 2025
Closed
15 tasks
@jku

jku commented Jun 9, 2025
edited
Loading

Copy link
Copy Markdown
Member

I'm combing through this PR now: I think instead of working on top of this I will take specific commits (at least verify/*) and make them fit on top of #1422

rekov2-client...jku:sigstore-python:sign-with-rekorv2 is the working branch

jku
jku reviewed Jun 9, 2025
View reviewed changes
Comment thread sigstore/verify/verifier.py
Comment on lines +585 to +588
public_key=v2.PublicKey(
raw_bytes=bundle.signing_certificate.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo,

@jku jku Jun 9, 2025
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks strange to me: if the bundle contains a signing certificate, we should expect the signature to contain that (and not just the public key of the certificate), right?

@jku jku Jun 9, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've used the certificate in my PR, I think it looks ok

This was referenced Jun 9, 2025
Closed
Merged
@jku

jku commented Jun 9, 2025

Copy link
Copy Markdown
Member

I think I have an updated version in #1432 -- @ramonpetgrave64 there might still be something we want here, but I'm going to close this one for clarity for now.

@jku jku closed this Jun 9, 2025
@jku jku mentioned this pull request Jun 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramonpetgrave64 @jku