Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document 'SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY' #2122

Closed
lukehinds opened this issue Aug 3, 2022 · 9 comments
Closed

Document 'SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY' #2122

lukehinds opened this issue Aug 3, 2022 · 9 comments
Assignees
@asraa
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@lukehinds
Copy link
Member

A few users are being tripped up on this subject env not being documented. There should be an entry in docs.sigstore.dev
@lukehinds lukehinds added enhancement New feature or request good first issue Good for newcomers labels Aug 3, 2022
@hectorj2f
Copy link
Contributor

+1

@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

This option should not be exposed at all -- this trusts the public key by querying Rekor, which provides no protection. Users need to use the other options for setting a custom Rekor key outside of TUF

Actually, it should be removed. I'm waiting on scaffolding changes to go through (they are staged right now!)

@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

This PR was actually incorrect: #2040

I'll put out a fix right now and add documentation on the correct way to set a custom non-TUF Rekor key.

@hectorj2f
Copy link
Contributor

@asraa That PR was the result of this discussion #1997 (comment). Based on @haydentherapper comment, I assumed that was a well-known usage.

this trusts the public key by querying Rekor, which provides no protection

Why are we exposing the public key in rekor API if that could lead to security issues ?

@asraa asraa mentioned this issue Aug 3, 2022
Merged
@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

@asraa That PR was the result of this discussion #1997 (comment). Based on @haydentherapper comment, I assumed that was a well-known usage.

I think there was just a mistake in the env var that the comment had.

See this earlier comment: #1997 (comment)

@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

@haydentherapper

@hectorj2f
Copy link
Contributor

👍🏻 , I saw it now in #2124

@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

Why are we exposing the public key in rekor API if that could lead to security issues ?

Some services do not expose that for this reason. But it is convenient to double check what the public key is AGAINST an out of band delivered one.

@asraa asraa mentioned this issue Aug 3, 2022
Closed
@asraa asraa self-assigned this Aug 3, 2022
@asraa asraa mentioned this issue Aug 3, 2022
Merged
@lukehinds
Copy link
Member Author

closing, thanks @asraa

@asraa asraa mentioned this issue Oct 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asraa asraa

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hectorj2f @asraa @lukehinds