Search through all shards when searching by hash #1082
Conversation
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
|
Do we need to block on the Cosign fix? It's fairly unlikely that someone has uploaded the same entry cross-shard - It likely only affects the individual who reported the issue, and we can find a workaround (re-sign and reupload). |
priyawadhwa
force-pushed
the
search-shards
branch
3 times, most recently
from
854f174
to
2eca7b5
Compare
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
priyawadhwa
force-pushed
the
search-shards
branch
from
2eca7b5
to
1512822
Compare
|
@haydentherapper yep! removed that comment, this should be good to merge once it's green |
tests/sharding-e2e-test.sh
Outdated
| @@ -24,6 +24,8 @@ set -ex | |||
| echo "Installing createtree..." | |||
| go install github.com/google/trillian/cmd/createtree@latest | |||
|
|
|||
| echo "Installing cosign..." | |||
| go install github.com/sigstore/cosign/cmd/cosign@latest | |||
There was a problem hiding this comment.
this logic may evolve as time goes on - are we better actually reimplementing the logic here by directly calling the rekor APIs?
There was a problem hiding this comment.
i think we probably want to test with cosign somewhere, whether it's here or in a prober. not super opinionated on this one.
There was a problem hiding this comment.
+1 let's remove cosign and use rekor: the problem was reproducible with a SearchLogQuery
There was a problem hiding this comment.
server changes look fine to me, but CLI logic is incorrect now, for e.g.
rekor/cmd/rekor-cli/app/verify.go
Line 140 in 204d9af
just create a follow-up issue, because this is imp
tests/sharding-e2e-test.sh
Outdated
| @@ -251,6 +254,10 @@ ENTRY_ID_2=$($REKOR_CLI get --log-index 3 --rekor_server http://localhost:3000 - | |||
| NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"entryUUIDs\": [\"$ENTRY_ID_1\"]}" | jq '. | length') | |||
| stringsMatch $NUM_ELEMENTS "1" | |||
|
|
|||
| # Make sure we can verify the blob we entered into the now-inactive shard | |||
There was a problem hiding this comment.
you can replace with a call to ./rekor verify --public-key blah --artifact blah --signature blah with the artifact properties
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
Codecov Report
@@ Coverage Diff @@
## main #1082 +/- ##
===========================================
- Coverage 64.06% 40.94% -23.12%
===========================================
Files 82 74 -8
Lines 7482 7082 -400
===========================================
- Hits 4793 2900 -1893
- Misses 2067 3877 +1810
+ Partials 622 305 -317
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
https://build.opensuse.org/request/show/1029934 by user msmeissn + dimstar_suse - updated to rekor 1.0.0 (sc#SLE-23476): - add description on /api/v1/index/retrieve endpoint by @bobcallaway in sigstore/rekor#1073 - Adding e2e test coverage by @cdris in sigstore/rekor#1071 - export rekor build/version information by @cpanato in sigstore/rekor#1074 - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in sigstore/rekor#1083 - Search through all shards when searching by hash by @priyawadhwa in sigstore/rekor#1082 - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in sigstore/rekor#1092 - add ability to enable/disable specific rekor API endpoints by @bobcallaway in
This adds in a test with
cosign sign-blobandcosign verify-blobto make sure it is working as expected