Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Have conformance test require signed timestamps for bundles v02 #42

Merged
merged 2 commits into from
Dec 14, 2023
Merged

Have conformance test require signed timestamps for bundles v02 #42

merged 2 commits into from
Dec 14, 2023

Conversation

steiza
Copy link
Member

@steiza steiza commented Dec 12, 2023

Summary

This is a bit of a philosophical question, although either sigstore-go needs to behave this way or we need to change test_verify_rejects_bad_tsa_timestamp that was added in sigstore/sigstore-conformance#112.

In that conformance test, we have a bundle with media type v0.2 that includes timestampVerificationData (so far so good). But it also includes an inclusionPromise.signedEntryTimestamp, and it expects verification to fail when timestampVerificationData is incorrect but inclusionPromise.signedEntryTimestamp is correct.

This change makes it so v0.2 bundles require valid timestampVerificationData and for those bundles ignores inclusionPromise.signedEntryTimestamp. It's possible that instead we want to require any information provided to be valid.

Release Note

NONE

Documentation

N/A

@steiza
Have conformance test require signed timestamps for bundles v02
efdbf47 
It seems like this is the behavior that
`test_verify_rejects_bad_tsa_timestamp` is assuming, that was added in
sigstore/sigstore-conformance#112.

Signed-off-by: Zach Steindler <steiza@github.com>
@steiza steiza requested a review from a team December 12, 2023 22:06
@haydentherapper
Copy link
Contributor

Slack thread: https://sigstore.slack.com/archives/C03SZ6SHU90/p1702418056454379

It should be possible to have both a signed TSA timestamp and a SignedEntryTimestamp. To me, this is the same as having multiple signed TSA timestamps. A verifier will use its roots of trust to determine which timestamps to trust.

I'm thinking about treating the SET the same as the signed timestamp, removing the ability to configure this in policy, and instead relying on the configured roots of trust. This has some open questions: Do we simply ignore any verification failures and just search for one valid timestamp? Also, should verifiers be able to configure trusting a transparency log for timestamps vs inclusion proofs?

@kommendorkapten
Copy link
Member

To re-iterate what I wrote in the slack thread:

@haydentherapper wrote:

A verifier will use its roots of trust to determine which timestamps to trust.

What I believe is that all signatures not under the closure of the trust root should be ignored.

@steiza
Use the trust root and bundle contents to construct verification policy
d73b8fb 
Signed-off-by: Zach Steindler <steiza@github.com>
@steiza
Copy link
Member Author

steiza commented Dec 13, 2023

The existing conformance tests supply the trusted root and the bundle (not an explicit policy), but with these changes the conformance driver can infer what the policy should be based on what's in the trusted root and the bundle.

@steiza steiza merged commit 0946840 into main Dec 14, 2023
9 checks passed
@steiza steiza deleted the conformance-with-bundle-v2 branch December 14, 2023 16:29
@steiza steiza mentioned this pull request Jan 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@steiza @haydentherapper @kommendorkapten