Skip to content

Add support for signing with Tink keyset#2228

Merged
Hayden-IO merged 1 commit intosigstore:mainfrom
Hayden-IO:add-tink
Sep 26, 2024
Merged

Add support for signing with Tink keyset#2228
Hayden-IO merged 1 commit intosigstore:mainfrom
Hayden-IO:add-tink

Conversation

@Hayden-IO
Copy link
Copy Markdown
Contributor

@Hayden-IO Hayden-IO commented Sep 25, 2024

This allows deployers to securely sign in-memory while mitigating key exfiltration, since the key is encrypted at rest and loaded into memory at server startup.

Requires providing a path to an encrypted Tink keyset and the Key Encryption Key, a KMS URI for decrypting the keyset.

Heavily pulls from Fulcio's Tink implementation.

Summary

Release Note

Documentation

@Hayden-IO Hayden-IO requested a review from a team as a code owner September 25, 2024 23:06
@Hayden-IO
Add support for signing with Tink keyset
2a76412 
This allows deployers to securely sign in-memory while mitigating key
exfiltration, since the key is encrypted at rest and loaded into memory
at server startup.

Requires providing a path to an encrypted Tink keyset and the Key
Encryption Key, a KMS URI for decrypting the keyset.

Heavily pulls from Fulcio's Tink implementation.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Sep 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 48.21429% with 58 lines in your changes missing coverage. Please review.

Project coverage is 51.40%. Comparing base (488eb97) to head (2a76412).
Report is 192 commits behind head on main.

Files with missing lines Patch % Lines
pkg/signer/tink/tink.go 55.07% 21 Missing and 10 partials ⚠️
pkg/signer/tink.go 24.24% 23 Missing and 2 partials ⚠️
pkg/signer/signer.go 33.33% 2 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2228       +/-   ##
===========================================
- Coverage   66.46%   51.40%   -15.06%     
===========================================
  Files          92      192      +100     
  Lines        9258    19590    +10332     
===========================================
+ Hits         6153    10071     +3918     
- Misses       2359     8429     +6070     
- Partials      746     1090      +344
Flag Coverage Δ
e2etests 49.55% <7.14%> (+1.99%) ⬆️
unittests 43.02% <44.64%> (-4.67%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cpanato
cpanato approved these changes Sep 26, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks
lgtm

bobcallaway
bobcallaway reviewed Sep 26, 2024
View reviewed changes
Comment thread cmd/rekor-server/app/root.go
@Hayden-IO Hayden-IO merged commit 5e341f2 into sigstore:main Sep 26, 2024
@github-actions github-actions Bot added this to the v1.2.2 milestone Sep 26, 2024
@Hayden-IO Hayden-IO deleted the add-tink branch December 6, 2024 23:01
@cmurphy cmurphy mentioned this pull request Feb 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@cpanato cpanato cpanato approved these changes

@cmurphy cmurphy Awaiting requested review from cmurphy

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.2.2

Development

Successfully merging this pull request may close these issues.

3 participants

@Hayden-IO @bobcallaway @cpanato