-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to unify signed and log timestamps #51
Add option to unify signed and log timestamps #51
Conversation
@steiza @kommendorkapten @phillmv PTAL (at commit 1a0fa2b, PR will be rebased once the other PR is merged) The summary of the various options is in #44 (comment) This is a WIP, looking for early comments. Remaining TODOs:
Also, this fixes a bug during log entry verification. When an inclusion proof is verified, the integrated timestamp was marked as verified. This is unsafe, because the integrated timestamp is unauthenticated metadata. It can only be trusted when signed over in the case of an SET. Given this library is not widely used, I don't think this needs a CVE (unless you think otherwise), but we should at least ping those who we know use this to upgrade. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 🚀
Thank you @kommendorkapten for the discussions and reviews! @steiza any comments? |
Like sigstore#45, as long as the threshold of expected timestamps is met, then verification should succeed. Otherwise, entries without trust root material should be skipped. One benefit of having the log key ID be used to look up the correct trust root material is that we can still error out if the signature is invalid. Ref: sigstore#43 Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
This adds the WithObserverTimestamp option to verify that a threshold is met using both RFC3161 signed timestamps and log integrated timestamps. This updates the verification API for the log to only verify log inclusion proofs or SETs, so that log and timestamp verification are not conflated. This also fixes a bug where the integrated time is used with an inclusion proof. This is not safe to do, since the integrated time is not authenticated metadata without a SignedEntryTimestamp signature. Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
0c43326
to
8684030
Compare
Rebasing against HEAD, no changes besides go.mod updates (https://github.com/sigstore/sigstore-go/compare/0c43326f2ecf7d6d6a294c9391ff7831cb173bcd..8684030bcc34417d4d61e94c804e8e3a6ca21f12) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this change gives us the flexibility to cover almost any use case.
I do worry about the complexity of the interface, but I think for many (most?) users, they should just use WithObserverTimestamps()
and not need to dive into WithIntegratedTimestamps()
vs WithSignedTimestamps()
.
One minor comment, but I don't feel strongly that the current implementation need to change.
@@ -237,7 +237,7 @@ func main() { | |||
|
|||
// Check bundle and trusted root for Tlog information | |||
if len(tr.TlogAuthorities()) > 0 && b.HasInclusionPromise() { | |||
verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1)) | |||
verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: In trying to make sure I understand this pull request, I'm wondering if this should be verify.WithIntegratedTimestamps(1)
instead.
Generally, I think we want people to use WithObserverTimestamps()
and not have to reason about the specifics of WithIntegratedTimestamps()
or WithSignedTimestamps()
.
But I thought what we were saying on #42 is that the conformance test will infer the verification policy from the trust root, and if the trust root has tlogs
entries, we should rely on them both for inclusion and for establishing a timestamp?
I guess when inferring the policy from the trust root, there isn't a way to differentiate today. This isn't a problem really, but it does highlight the complexity of the problem space generally!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, this should be WithIntegratedTimestamps
since this is inferring a policy based on if a promise is present. I'll update in a follow up.
In order to infer WithObserverTimestamps
, which would be more permissive, it would probably look something like a check for either bundled timestamps or SETs. We could do that here, but we can be more precise with WithSignedTimestamps
and WithIntegratedTimestamps
.
Thanks for the review @steiza! Agreed that the goal is that most if not all users would leverage |
Follow up from sigstore#51 Fixes sigstore#62 Signed-off-by: Hayden Blauzvern <[email protected]>
Follow up from sigstore#51 Fixes sigstore#62 Signed-off-by: Hayden Blauzvern <[email protected]>
Follow up from #51 Fixes #62 Signed-off-by: Hayden Blauzvern <[email protected]>
Summary
This adds the WithObserverTimestamps option to verify that a threshold is
met using both RFC3161 signed timestamps and log integrated timestamps.
This also adds WithIntegratedTimestamps to verify a threshold for log integrated
timestamps.
This updates the verification API for the log to only verify log
inclusion proofs or SETs, so that log and timestamp verification are not
conflated.
This also fixes a bug where the integrated time is used with an
inclusion proof. This is not safe to do, since the integrated time is
not authenticated metadata without a SignedEntryTimestamp signature.
Fixes #44
Release Note
Documentation