Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate tlog entry when verifying signature via public key. #1833

Merged
merged 1 commit into from
May 4, 2022
Merged

Validate tlog entry when verifying signature via public key. #1833

merged 1 commit into from
May 4, 2022

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented May 2, 2022

Summary

Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch billy@chainguard.dev

Ticket Link

Fixes #1816

Release Note

BUG FIX: User-provided key verification with Rekor now verifies the Rekor entry as part of validation.

@wlynch
Copy link
Member Author

wlynch commented May 2, 2022

/cc @asraa

@wlynch
Validate tlog entry when verifying signature via public key.
bf8713f 
Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch <billy@chainguard.dev>
asraa
asraa reviewed May 4, 2022
View reviewed changes
pkg/cosign/verify_test.go
SigVerifier: sv,
RekorClient: mClient,
}); err == nil || !strings.Contains(err.Error(), "verifying inclusion proof") {
// TODO(wlynch): This is a weak test, since this is really failing because
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like trillian makes some fake inclusion proofs https://github.com/google/trillian/blob/3d7922afdce9fd0144e16aae08bea061c0ad1aee/merkle/logverifier/log_verifier_test.go#L45 for testing -- maybe we can do that?

@dlorenc dlorenc merged commit d46a3da into sigstore:main May 4, 2022
@github-actions github-actions bot added this to the v1.9.0 milestone May 4, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@wlynch @mlieberman85
Validate tlog entry when verifying signature via public key. (sigstor…
518584a 
…e#1833)

Previously, when signatures were validated via public key, we only
checked for the existence of the tlog, but didn't actually validate the
entry. This refactors the code to ensure both cert + public paths go
through the same tlog entry validation.

Signed-off-by: Billy Lynch <billy@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.9.0
Development

Successfully merging this pull request may close these issues.

Verify pass private Rekor check even without Rekor public key
3 participants
@wlynch @asraa @dlorenc