Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend VerificationResult with all verified data #328

Open
codysoyland opened this issue Nov 4, 2024 · 2 comments
Open

Extend VerificationResult with all verified data #328

codysoyland opened this issue Nov 4, 2024 · 2 comments
Labels
enhancement New feature or request v1.0 items we want to consider for a v1.0 release

Comments

@codysoyland
Copy link
Member

Description

VerificationResult is the primary output of the verifier, and contains a "summary" of the verification result. Given that sigstore-go is primarily to be consumed by machines, and users of the library may need to have higher-fidelity data structures for post-processing, I would like to have VerificationResult contain more details about the verified data. Specifically:

  • For bundles signed with a certificate, I would like a list of list of certificate chains:
VerifiedCertificateChains [][]*x509.Certificate
  • TimestampVerificationResult only contains a type, URI, and timestamp. I would like to have separate fields for VerifiedTimestampingResponse and VerifiedTransparencyLogEntry including all the data from the bundle.
VerifiedTimestampingResponses []*timestamp.Timestamp
VerifiedLogEntries            []*models.LogEntryAnon
  • A list of verified SCTs would also be valuable:
VerifiedSCTs              []*ct.SignedCertificateTimestamp

This will have several follow-on effects to the current public API, adding return data to several functions such as:

  • func (v *SignedEntityVerifier) VerifyObserverTimestamps
  • func (v *SignedEntityVerifier) VerifyTransparencyLogInclusion
  • func VerifyArtifactTransparencyLog
  • func VerifyTimestampAuthority
  • func VerifySignedCertificateTimestamp

I believe that exposing these values from the verifier is important for clients that need data such as the specific transaction log entries that were verified, as there may be untrusted values in the bundle even if it passes the threshold.

The existing VerificationResult serves a role as a simple summary of verification, and we may consider exposing it unchanged as a separate return value, perhaps renaming it to VerificationSummary.
@codysoyland codysoyland added the enhancement New feature or request label Nov 4, 2024
@kommendorkapten
Copy link
Member

This sounds like a great proposal! Thanks for putting this together @codysoyland.

@steiza
Copy link
Member

steiza commented Dec 5, 2024

Returning the specific verification material that matched the signed material seems quite useful!

I was thinking "shouldn't func VerifyLeafCertificate also change?" but then I see it already returns certificate chains.

I think most people are using the top-level verification function and not these individual verification functions. The one exception I know of is in sigstore/cosign#3844 we call verify.VerifySignedCertificateTimestamp, but we only care about success and so it should be easy to adapt to a new return signature.

@codysoyland codysoyland added the v1.0 items we want to consider for a v1.0 release label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v1.0 items we want to consider for a v1.0 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@codysoyland @steiza @kommendorkapten