Skip to content

Sign and verify with rekorv2 #1432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Sign and verify with rekorv2 #1432

wants to merge 15 commits into from

Conversation

jku
Copy link
Member

@jku jku commented Jun 9, 2025
edited
Loading

Start signing and verifying with rekor v2 (when signingconfig / trustedroot instruct to do so).

This is a continuation of #1414 (although does not use any direct commits from there). The verifier.py changes are mostly from @ramonpetgrave64

Contents:

  • SigningConfig now returns RekorV2Clients when appropriate
  • Verifier: verify_dsse() and verify_artifact() now handle v002 entry types
    • _validate_*_v001_entry_body() methods are just the existing code path refactored to separate methods
    • _validate_*_v002_entry_body() methods are the new validation code
  • tests:
    • SigningConfig test are amended to test for different rekor clients
    • A simple rekorv2 signing test is added
    • a test asset is added for verifying rekorv2 signatures, this is used in an existing test
    • A trustconfig for signing with staging rekor v2 is added to assets: It's not used in tests but is handy for manually signing with --trust-config staging-but-sign-with-rekor-v2.json

Notes:

  • verification code needs a careful review: it mostly only changes validation of entries getting verified but still
  • Decision on feature flag: Currently it's all enabled as soon as trustedroot / signingconfig contains rekor v2 instance. We could put the signing part behind a --experimental flag for a release if this seems useful -- but I think I would prefer no new flags
  • I originally I thought CLI changes are not needed but maybe we should add an extra line of output about rekor v2 signing being potentially slow before we make a request to rekorv2 (since we now wait until inclusion proof). This can be done in a followup issue though
  • Good ideas for better testing are welcome (I'm currently working on conformance tests, see Add verification tests / assets for staging rekor v2 sigstore-conformance#212: planning to mostly add the verification tests there if possible and not just here)

@jku jku mentioned this pull request Jun 9, 2025
Closed
4 tasks
@jku jku changed the title Sign with rekorv2 Sign and verify with rekorv2 Jun 9, 2025
jku
jku commented Jun 9, 2025
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jun 9, 2025
Merged
@jku jku force-pushed the rekov2-client branch 2 times, most recently from 334e1b2 to 983bfa6 Compare June 10, 2025 08:16
jku
jku commented Jun 10, 2025
View reviewed changes
jku
jku commented Jun 10, 2025
View reviewed changes
@jku jku force-pushed the sign-with-rekorv2 branch from 9b0a970 to e47e555 Compare June 10, 2025 14:11
@jku
Copy link
Member Author

jku commented Jun 10, 2025

  • rebased on the rekor v2 client branch
  • refactored verifier a bit more
  • Added a better failure for unknown entry types/versions: I think this is safe to do with regards to old bundles (the kind_version gets backfilled from the entry content itself during deserialization in those cases)

jku
jku commented Jun 10, 2025
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Jun 10, 2025
Open
35 tasks
@jku
Copy link
Member Author

jku commented Jun 11, 2025

last commit: Made sure we support the same signature algorithms in verification that we support with rekor v1 entries (we should support a bit more but that's another PR)

@jku jku mentioned this pull request Jun 11, 2025
Open
Base automatically changed from rekov2-client to main June 12, 2025 18:27
jku and others added 14 commits June 13, 2025 14:11
@jku
trust: Start returning RekorV2Client from signingconfig
7f3d9d4 
If signingconfig contains rekor v2, let's start preferring it

Make sure we test the status quo (no rekor v2 in signing config)
and the case where there is a rekor v2 in signing config.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
test: Add trust config for signing with staging rekor v2
00e0349 
This is current staging trust root and signing config, with just the
rekor v2 instance added to signing config

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku @ramonpetgrave64
verify: Initial support for rekor v2 verify
932a6e8 
This code is originally from Ramon, updated by Jussi

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md
$ sigstore --staging verify identity \
     --cert-identity jku@goto.fi \
     --cert-oidc-issuer https://github.com/login/oauth
     README.md
OK: README.md

Co-authored-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
verifier: Fix lint issues
57ea545 
This makes the code quite a bit uglier: we will likely want to
refactor...

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
tests: Add tests for signing and verifying rekorv2 bundles
9eec8b7 
These are fairly basic for now.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@ramonpetgrave64 @jku
refactor entry validation
b04e3c0 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
use staging_with_rekorv2 fixture
e173a3b 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
staging_with_rekorv2 uses embedded trust config
c868f55 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
verify rekorv2 dssse bundle
732cdbf 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
Revert "staging_with_rekorv2 uses embedded trust config"
46d9873 
This reverts commit d7ddd50.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 @jku
use ambient oidc
5261d23 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@jku
verifier: One more refactor
c0733ac 
We can handle not just the key extraction but getting the whole
v2.Verifier for the certificate: both v002 types need it.

Also make private methods private and improve docstrings

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
verifier: Improve error messages with unknown types
600eb7e 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
verify: Handle more ECDSA keys in signing cert
47b7664 
This change affects the signing certificate verification in rekor v2
entries:
* Support all ECDSA keys listed in
  https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md
* Don't support other algorithms yet since the actual signature verification
  does not support them currently

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the sign-with-rekorv2 branch from 441c416 to 47b7664 Compare June 13, 2025 11:13
@jku
Copy link
Member Author

jku commented Jun 13, 2025
edited
Loading

Rebased on main after #1422 was merged: I will do a final self-review and mark this ready for review

EDIT looks fine to me. The beginnings of conformance tests are in sigstore/sigstore-conformance#216 -- that PR is pending a sigstore-python release (or at least merging of this PR)

@jku jku marked this pull request as ready for review June 13, 2025 13:15
@jku jku requested review from di and woodruffw June 13, 2025 13:19
@woodruffw woodruffw added component:signing Core signing functionality component:verification Core verification functionality labels Jun 13, 2025
@jku
Copy link
Member Author

jku commented Jun 13, 2025
edited
Loading

Also, a future work item is concurrent rekor requests:

  • Since rekor now responds to the request only after the inclusion proof is available, signing multiple artifacts is slow as currently implemented (each entry ends up integrated into the log in separate batches that only happen every few seconds)
  • if we send the rekor requests in parallel, all of them can be integrated in one go so signing should not be very slow
  • this might be harder than expected -- the architecture is not designed for this and e.g. requests Session is not thread safe

(alternative to parallelizing is to talk rekor-tiles project into providing api for creating multiple entries... But that'll still require client changes)

@jku jku mentioned this pull request Jun 13, 2025
Open
@ramonpetgrave64
Copy link
Contributor

Good ideas for better testing are welcome

I think we can get a lot more coverage without writing new tests in #1441

ramonpetgrave64
ramonpetgrave64 approved these changes Jun 13, 2025
View reviewed changes
test/unit/conftest.py
Comment on lines +241 to +244
@pytest.fixture
def staging_with_rekorv2() -> tuple[
type[SigningContext], type[Verifier], IdentityToken
]:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In #1441, we could add another param specific for this "alpha" instance.

haydentherapper
haydentherapper reviewed Jun 17, 2025
View reviewed changes
sigstore/verify/verifier.py
public_key = certificate.public_key()

if isinstance(public_key, ec.EllipticCurvePublicKey):
if isinstance(public_key.curve, ec.SECP256R1):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To confirm, what set of algorithms was supported previously?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's that same one, also hardcoded in a few other places in sigstore-python.

Copy link
Member Author

@jku jku Jun 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#1439 is the follow up

I believe verify/verifier.py is really the only relevant place where this is hard coded (documented a couple of lines above this): the usage in sign.py is a separate decision that shouldn't be tied to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@ramonpetgrave64 ramonpetgrave64 ramonpetgrave64 approved these changes

@di di Awaiting requested review from di

@woodruffw woodruffw Awaiting requested review from woodruffw

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
component:signing Core signing functionality component:verification Core verification functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jku @ramonpetgrave64 @haydentherapper @woodruffw
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy