Support dsse as hashedrekord#99
Conversation
6c0b83f to
145756e
Compare
|
Currently using a commit from conformance main to get the new tests for the dsse-as-hashedrekord: next conformance release will contain them |
3ad6452 to
502e00a
Compare
502e00a to
fad59d7
Compare
The new DSSE-as-hashedrekord tests have not yet been released Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is based on sigstore/architecture-docs#63 * With Rekor v2 DSSE envelopes are supported via Hashedrekord entries instead of a dedicated dsse entry * digest is Hash(PAE(payloadType, payload)) * Signature is the DSSE envelope signature This commit removes all support for the "dsse 0.0.2" entry type: this seems ok as rekor v2 signing was never deployed in production. * When signing with rekor v2, build a "hashedrekord 0.0.2" entry with digest and signature as described above * When verifying hashedrekord, compute hash depending on bundle content * When matching hashedrekord signatures, use envelope signatures when appropriate * When verifying rekor entry consistency, accept a DSSE envelope with a "hashedrekord 0.0.2" entry Testing: * Implement a few new verification tests Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
fad59d7 to
68ddc8f
Compare
|
I suppose this is ready for review |
loosebazooka
left a comment
There was a problem hiding this comment.
mostly questions about rust for me to understand.
| let dsse_entry = DsseEntryV2::new(envelope, certificate); | ||
| let entry = rekor.create_dsse_entry_v2(dsse_entry).await.map_err(|e| { | ||
| Error::Signing(format!("Failed to create DSSE Rekor entry: {}", e)) | ||
| let hash = sigstore_crypto::sha256(&envelope.pae()); |
There was a problem hiding this comment.
is there no standard rust crypto that does sha256?
There was a problem hiding this comment.
There indeed is no standard crypto in Rust.
We use aws-lc IIRC. I don't know why we use our own wrapper but my guess would be:
- hide aws-lc so it can be swapped out if needed
- get some nicer de/serialization (to base64 etc)
|
|
||
| // Use V1 or V2 API based on configuration | ||
| let (log_entry, version) = match self.rekor_api_version { | ||
| let (log_entry, kind, version) = match self.rekor_api_version { |
There was a problem hiding this comment.
how is log_entry typed here (just to the closest viable parent?)
There was a problem hiding this comment.
log_entry is always a LogEntry (the rekor v2 code path has some "conversion code" that I'm not yet familiar with)
| // Compute hash from artifact (bytes or pre-computed digest) or DSSE envelope | ||
| let hash = match &bundle.content { | ||
| SignatureContent::MessageSignature(_) => compute_artifact_digest(artifact), | ||
| SignatureContent::DsseEnvelope(envelope) => sigstore_crypto::sha256(&envelope.pae()), |
There was a problem hiding this comment.
I thought you needed to use the algorithm_registry to get the signing algorithm to determine the hash algorithm. (maybe rust is just sha256 for now?)
There was a problem hiding this comment.
Yeah, I think you are correct: there is no dynamic hash selection for hashedrekord right now. Filed #104 for this
We should have a test for this in conformance -- cover the signing algorithms we actually care about -- otherwise this is not going to actually work in any client
As per specification Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Rekor2: Support DSSE via Hashedrekord entries
This is based on sigstore/architecture-docs#63
This removes all support for the "dsse 0.0.2" entry type: this seems ok as rekor v2 signing was never deployed in production (the log is there, it's just never been included in the SigningConfig).
Testing:
The test asset is from
cargo run -p sigstore-sign --example sign_attestation -- --staging crates/sigstore-verify/test_data/bundles/signed-package-2.1.0-hb0f4dca_0.conda -o crates/sigstore-verify/test_data/bundles/conda-attestation-rekor2.sigstore.jsonand verifies with:
cargo run -p sigstore-verify --example verify_bundle -- --staging crates/sigstore-verify/test_data/bundles/signed-package-2.1.0-hb0f4dca_0.conda crates/sigstore-verify/test_data/bundles/conda-attestation-rekor2.sigstore.json