Sign and verify with rekorv2#1432
Merged
Merged
Conversation
jku
commented
Jun 9, 2025
334e1b2 to
983bfa6
Compare
jku
commented
Jun 10, 2025
jku
commented
Jun 10, 2025
Member
Author
|
jku
commented
Jun 10, 2025
35 tasks
Member
Author
|
last commit: Made sure we support the same signature algorithms in verification that we support with rekor v1 entries (we should support a bit more but that's another PR) |
If signingconfig contains rekor v2, let's start preferring it Make sure we test the status quo (no rekor v2 in signing config) and the case where there is a rekor v2 in signing config. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is current staging trust root and signing config, with just the rekor v2 instance added to signing config $ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json $ sigstore --trust-config $TRUSTCONFIG sign README.md Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This code is originally from Ramon, updated by Jussi
$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md
$ sigstore --staging verify identity \
--cert-identity jku@goto.fi \
--cert-oidc-issuer https://github.com/login/oauth
README.md
OK: README.md
Co-authored-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This makes the code quite a bit uglier: we will likely want to refactor... Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
These are fairly basic for now. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This reverts commit d7ddd50. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
We can handle not just the key extraction but getting the whole v2.Verifier for the certificate: both v002 types need it. Also make private methods private and improve docstrings Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This change affects the signing certificate verification in rekor v2 entries: * Support all ECDSA keys listed in https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md * Don't support other algorithms yet since the actual signature verification does not support them currently Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Member
Author
|
Rebased on main after #1422 was merged: I will do a final self-review and mark this ready for review EDIT looks fine to me. The beginnings of conformance tests are in sigstore/sigstore-conformance#216 -- that PR is pending a sigstore-python release (or at least merging of this PR) |
Member
Author
|
Also, a future work item is concurrent rekor requests:
(alternative to parallelizing is to talk rekor-tiles project into providing api for creating multiple entries... But that'll still require client changes) |
Contributor
I think we can get a lot more coverage without writing new tests in #1441 |
ramonpetgrave64
approved these changes
Jun 13, 2025
Comment on lines
+241
to
+244
| @pytest.fixture | ||
| def staging_with_rekorv2() -> tuple[ | ||
| type[SigningContext], type[Verifier], IdentityToken | ||
| ]: |
Contributor
There was a problem hiding this comment.
In #1441, we could add another param specific for this "alpha" instance.
Hayden-IO
reviewed
Jun 17, 2025
Contributor
|
@di @woodruffw can you take a pass over this? I’ve reviewed it, it looks functionally good, though I can’t speak to how pythonic it is. |
woodruffw
approved these changes
Jul 1, 2025
Member
|
LGTM -- I did a pass over the verifier bits and nothing stood out to me 🙂 |
Member
Author
|
Thanks all: I think I will merge this today.
I'll file a tracking issue for next release so we don't drop the ball on those |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Start signing and verifying with rekor v2 (when signingconfig / trustedroot instruct to do so).
This is a continuation of #1414 (although does not use any direct commits from there). The verifier.py changes are mostly from @ramonpetgrave64
Contents:
verify_dsse()andverify_artifact()now handle v002 entry types_validate_*_v001_entry_body()methods are just the existing code path refactored to separate methods_validate_*_v002_entry_body()methods are the new validation code--trust-config staging-but-sign-with-rekor-v2.jsonNotes:
--experimentalflag for a release if this seems useful -- but I think I would prefer no new flags