Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate tlog entry when verifying signature via public key. #1833

Merged
merged 1 commit into from
May 4, 2022

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented May 2, 2022

Summary

Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch [email protected]

Ticket Link

Fixes #1816

Release Note

BUG FIX: User-provided key verification with Rekor now verifies the Rekor entry as part of validation.

@wlynch
Copy link
Member Author

wlynch commented May 2, 2022

/cc @asraa

Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch <[email protected]>
@wlynch wlynch force-pushed the rekor-validate branch from 28746f5 to bf8713f Compare May 2, 2022 19:19
SigVerifier: sv,
RekorClient: mClient,
}); err == nil || !strings.Contains(err.Error(), "verifying inclusion proof") {
// TODO(wlynch): This is a weak test, since this is really failing because
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like trillian makes some fake inclusion proofs https://github.com/google/trillian/blob/3d7922afdce9fd0144e16aae08bea061c0ad1aee/merkle/logverifier/log_verifier_test.go#L45 for testing -- maybe we can do that?

@dlorenc dlorenc merged commit d46a3da into sigstore:main May 4, 2022
@github-actions github-actions bot added this to the v1.9.0 milestone May 4, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
…e#1833)

Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Verify pass private Rekor check even without Rekor public key
3 participants