From 6adb729dd8eb2a8e9192fe6cfb7f9804ed3f40ce Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Thu, 7 Dec 2023 22:26:12 +0000 Subject: [PATCH] Remove timestamp from checkpoint Fixes https://github.com/sigstore/rekor/issues/1887. Verified that checkpoints are still verifiable with and without timestamps (since timestamps are just a part of the existing OtherContent, this is not a breaking change). Looking over all of the Sigstore org, no project is relying on the timestamp. Signed-off-by: Hayden Blauzvern --- cmd/rekor-cli/app/log_info.go | 8 +------- pkg/util/checkpoint.go | 23 ----------------------- pkg/util/checkpoint_test.go | 33 ++++++++++++++++++++++++++++++--- 3 files changed, 31 insertions(+), 33 deletions(-) diff --git a/cmd/rekor-cli/app/log_info.go b/cmd/rekor-cli/app/log_info.go index 71ac1a1d0..9cdfe90fb 100644 --- a/cmd/rekor-cli/app/log_info.go +++ b/cmd/rekor-cli/app/log_info.go @@ -22,7 +22,6 @@ import ( "encoding/pem" "errors" "fmt" - "time" "github.com/go-openapi/swag" rclient "github.com/sigstore/rekor/pkg/generated/client" @@ -45,21 +44,17 @@ type logInfoCmdOutput struct { ActiveTreeSize int64 TotalTreeSize int64 RootHash string - TimestampNanos uint64 TreeID string } func (l *logInfoCmdOutput) String() string { // Verification is always successful if we return an object. - ts := time.Unix(0, int64(l.TimestampNanos)).UTC().Format(time.RFC3339) - return fmt.Sprintf(`Verification Successful! Active Tree Size: %v Total Tree Size: %v Root Hash: %s -Timestamp: %s TreeID: %s -`, l.ActiveTreeSize, l.TotalTreeSize, l.RootHash, ts, l.TreeID) +`, l.ActiveTreeSize, l.TotalTreeSize, l.RootHash, l.TreeID) } // logInfoCmd represents the current information about the transparency log @@ -105,7 +100,6 @@ var logInfoCmd = &cobra.Command{ ActiveTreeSize: swag.Int64Value(logInfo.TreeSize), TotalTreeSize: totalTreeSize(logInfo, logInfo.InactiveShards), RootHash: swag.StringValue(logInfo.RootHash), - TimestampNanos: sth.GetTimestamp(), TreeID: swag.StringValue(logInfo.TreeID), } return cmdOutput, nil diff --git a/pkg/util/checkpoint.go b/pkg/util/checkpoint.go index 3d3534aec..f9999adea 100644 --- a/pkg/util/checkpoint.go +++ b/pkg/util/checkpoint.go @@ -23,7 +23,6 @@ import ( "fmt" "strconv" "strings" - "time" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/options" @@ -145,27 +144,6 @@ func (r *SignedCheckpoint) UnmarshalText(data []byte) error { return nil } -func (r *SignedCheckpoint) SetTimestamp(timestamp uint64) { - var ts uint64 - for i, val := range r.OtherContent { - if n, _ := fmt.Fscanf(strings.NewReader(val), "Timestamp: %d", &ts); n == 1 { - r.OtherContent = append(r.OtherContent[:i], r.OtherContent[i+1:]...) - } - } - r.OtherContent = append(r.OtherContent, fmt.Sprintf("Timestamp: %d", timestamp)) - r.SignedNote = SignedNote{Note: string(r.Checkpoint.String())} -} - -func (r *SignedCheckpoint) GetTimestamp() uint64 { - var ts uint64 - for _, val := range r.OtherContent { - if n, _ := fmt.Fscanf(strings.NewReader(val), "Timestamp: %d", &ts); n == 1 { - break - } - } - return ts -} - // CreateAndSignCheckpoint creates a signed checkpoint as a commitment to the current root hash func CreateAndSignCheckpoint(ctx context.Context, hostname string, treeID int64, treeSize uint64, rootHash []byte, signer signature.Signer) ([]byte, error) { sth, err := CreateSignedCheckpoint(Checkpoint{ @@ -176,7 +154,6 @@ func CreateAndSignCheckpoint(ctx context.Context, hostname string, treeID int64, if err != nil { return nil, fmt.Errorf("error creating checkpoint: %v", err) } - sth.SetTimestamp(uint64(time.Now().UnixNano())) if _, err := sth.Sign(hostname, signer, options.WithContext(ctx)); err != nil { return nil, fmt.Errorf("error signing checkpoint: %v", err) } diff --git a/pkg/util/checkpoint_test.go b/pkg/util/checkpoint_test.go index cfc54ffe7..57ac0f305 100644 --- a/pkg/util/checkpoint_test.go +++ b/pkg/util/checkpoint_test.go @@ -27,7 +27,6 @@ import ( "crypto/sha256" "fmt" "testing" - "time" "github.com/google/go-cmp/cmp" "github.com/sigstore/sigstore/pkg/signature" @@ -225,6 +224,34 @@ func TestSigningRoundtripCheckpoint(t *testing.T) { wantSignErr: false, wantVerifyErr: false, }, + { + c: Checkpoint{ + Origin: "Log Checkpoint With Timestamp", + Size: 123, + Hash: []byte("bananas"), + OtherContent: []string{"Timestamp: 12345"}, + }, + identity: "someone", + signer: edPrivKey, + pubKey: edPubKey, + opts: crypto.Hash(0), + wantSignErr: false, + wantVerifyErr: false, + }, + { + c: Checkpoint{ + Origin: "Log Checkpoint With Multiple Other Contents", + Size: 123, + Hash: []byte("bananas"), + OtherContent: []string{"Timestamp: 12345", "Extra: Foo Bar"}, + }, + identity: "someone", + signer: edPrivKey, + pubKey: edPubKey, + opts: crypto.Hash(0), + wantSignErr: false, + wantVerifyErr: false, + }, { c: Checkpoint{ Origin: "Log Checkpoint Mismatch v0", @@ -283,8 +310,8 @@ func TestSigningRoundtripCheckpoint(t *testing.T) { if err != nil { t.Fatalf("error creating signed checkpoint") } - time := uint64(time.Now().UnixNano()) - sth.SetTimestamp(time) + // time := uint64(time.Now().UnixNano()) + // sth.SetTimestamp(time) signer, _ := signature.LoadSigner(test.signer, crypto.SHA256) if _, ok := test.signer.(*rsa.PrivateKey); ok { signer, _ = signature.LoadRSAPSSSigner(test.signer.(*rsa.PrivateKey), crypto.SHA256, test.opts.(*rsa.PSSOptions))