Skip to content

Sign and verify with rekorv2 #1432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 52 commits into
base: main
Choose a base branch
from
Draft

Sign and verify with rekorv2 #1432

wants to merge 52 commits into from
+917 −110

Conversation

jku
Copy link
Member

@jku jku commented Jun 9, 2025
edited
Loading

Start signing and verifying with rekor v2 (when signingconfig / trustedroot instruct to do so).

Status:

Contents:

  • SigningConfig now returns RekorV2Clients when appropriate
  • Verifier: verify_dsse() and verify_artifact() now handle v002 entry types
  • tests:
    • SigningConfig test are amended to test for different rekor clients
    • A simple rekorv2 signing test is added
    • a test asset is added for verifying rekorv2 signatures, this is used in an existing test
    • A trustconfig for signing with staging rekor v2 is added to assets: It's not used in tests but is handy for manually signing with --trust-config staging-but-sign-with-rekor-v2.json

Notes:

  • verification code needs a careful review
  • Decision on feature flag: Currently it's all enabled as soon as trustedroot / signingconfig contains rekor v2 instance. We could put the signing part behind a --experimental flag for a release if this seems useful but I think I would prefer no new flags
  • I originally I thought CLI changes are not needed but maybe we should add an extra line of output about rekor v2 signing being potentially slow (since we now wait until inclusion proof). This could be done in a followup issue though
  • Good ideas for better testing are welcome (I'm currently working on conformance tests)

ramonpetgrave64 and others added 30 commits May 20, 2025 16:18
@ramonpetgrave64
add RekorV2Client and types
376361a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add rekorv2 client + tests
2983b4a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add lots of docstrings
3f94e7a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
xfail on local and staging
d043256 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add cahngelog
1a55117 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into rekov2-client
65ecf4e
@ramonpetgrave64
remove staging and production methods
3730364 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add @pytest.mark.ambient_oidc
1e78607 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
send the cert, not only the public key
53c9113 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
abstract the signer fixture
79f967c 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
reorganize fixtures
832f87d 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
add tiemout
e6a6fe3 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into rekov2-client
c546aea
@ramonpetgrave64
no V002 workaround
5baeb8f 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
merge updates
4b2a03a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
no V002 workaround
73eaf0e 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
regorganize tests
34043a2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
use new methods for building requests
a733d5a 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
changelog
90d8244 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
cleanup comment
b49d8a7 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
future import
80422f2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@jku
Rekor: Tweak the log submitter abstraction
9b60fb6 
* Make sure the exposed signatures actually are abstract:
  the request payload can be just a dict so both clients actually
  implement the same API
* There is still a "EntryRequest" NewType being used instead of dict
  just to make the intent clear

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
tests: Simplify rekorv2 tests
d80c25c 
* Don't pretend these are unit tests: just have something simple
  that proves the client roughly does what it should
* We should have real unit tests (that don't require the whole
  staging infra as current tests do) and integration tests but this
  is what I have now

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
rekor: remove timeout for now
5746d0c 
* The timeout was a little misleading (since requests timeout is not the
  total maximum time of the request) and we don't have specific timeouts
  elsewhere either.
* Also remove some unused variables

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Use rekor types from (unreleased) protobuf-specs
cba9507 
As of right now this is not in a released protobuf-specs: just preparing
for when it is

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Merge remote-tracking branch 'origin/main' into rekov2-client
5c503a6
@jku
rekor v2: Cope without CreateEntryRequest
3d9a1b8 
This was dropped from generated protobuf code

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
rekor v2: Use the correct keytype in the entry request
324647c 
We only generate secp256r1 so can skip checking all of the other types
for now.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
rekor v2: Workaround mypys issue with enums
68633d4 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
tests: Add missing license
9cad1d1 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jun 9, 2025
Merged
@ramonpetgrave64 @jku
change PR number
1f71c8b 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
ranem to EntryRequestBody
29ba622 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
docstring formatting
d5b407b 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@jku jku force-pushed the rekov2-client branch from 90d1ff7 to 334e1b2 Compare June 10, 2025 08:09
@jku jku force-pushed the rekov2-client branch from 334e1b2 to 983bfa6 Compare June 10, 2025 08:16
jku
jku commented Jun 10, 2025
View reviewed changes
jku
jku commented Jun 10, 2025
View reviewed changes
jku and others added 13 commits June 10, 2025 17:10
@jku
trust: Start returning RekorV2Client from signingconfig
6643c48 
If signingconfig contains rekor v2, let's start preferring it

Make sure we test the status quo (no rekor v2 in signing config)
and the case where there is a rekor v2 in signing config.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
test: Add trust config for signing with staging rekor v2
9841223 
This is current staging trust root and signing config, with just the
rekor v2 instance added to signing config

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku @ramonpetgrave64
verify: Initial support for rekor v2 verify
12bb317 
This code is originally from Ramon, updated by Jussi

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md
$ sigstore --staging verify identity \
     --cert-identity jku@goto.fi \
     --cert-oidc-issuer https://github.com/login/oauth
     README.md
OK: README.md

Co-authored-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
verifier: Fix lint issues
dc8b93c 
This makes the code quite a bit uglier: we will likely want to
refactor...

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
tests: Add tests for signing and verifying rekorv2 bundles
704cd05 
These are fairly basic for now.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@ramonpetgrave64 @jku
refactor entry validation
958f0c2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
use staging_with_rekorv2 fixture
329eb36 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
staging_with_rekorv2 uses embedded trust config
00ab050 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
verify rekorv2 dssse bundle
ac2a114 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
Revert "staging_with_rekorv2 uses embedded trust config"
4593fcd 
This reverts commit d7ddd50.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
use ambient oidc
08973cf 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@jku
verifier: One more refactor
cb73e2a 
We can handle not just the key extraction but getting the whole
v2.Verifier for the certificate: both v002 types need it.

Also make private methods private and improve docstrings

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
verifier: Improve error messages with unknown types
e47e555 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the sign-with-rekorv2 branch from 9b0a970 to e47e555 Compare June 10, 2025 14:11
@jku
Copy link
Member Author

jku commented Jun 10, 2025

  • rebased on the rekor v2 client branch
  • refactored verifier a bit more
  • Added a better failure for unknown entry types/versions: I think this is safe to do with regards to old bundles (the kind_version gets backfilled from the entry content itself during deserialization in those cases)

jku
jku commented Jun 10, 2025
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jun 10, 2025
Open
35 tasks
@jku
verify: Handle more ECDSA keys in signing cert
441c416 
This change affects the signing certificate verification in rekor v2
entries:
* Support all ECDSA keys listed in
  https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md
* Don't support other algorithms yet since the actual signature verification
  does not support them currently

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Member Author

jku commented Jun 11, 2025

last commit: Made sure we support the same signature algorithms in verification that we support with rekor v1 entries (we should support a bit more but that's another PR)

@jku jku mentioned this pull request Jun 11, 2025
Open
Base automatically changed from rekov2-client to main June 12, 2025 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramonpetgrave64 ramonpetgrave64 ramonpetgrave64 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jku @ramonpetgrave64