Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update signature spec with TUF timestamp #1274

Merged
merged 1 commit into from
Jan 6, 2022
Merged

Update signature spec with TUF timestamp #1274

merged 1 commit into from
Jan 6, 2022

Conversation

haydentherapper
Copy link
Contributor

The timestamp will be used to find a versioned TUF target metadata.
This allows targets to be rotated while still being able to validate
old entries that were signed by previous targets.

Ref #1273

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Cosign currently can only verify signatures from current TUF metadata. This will cause signature verification to fail for old entries once the target, such as the Fulcio certificate, is rotated. Including the timestamp, along with additional work to persist versioned TUF targets, will allow cosign to find the previous target used to generate the signature.

I will implement this feature to be backwards compatible. If an entry does not include the timestamp, then cosign will use the latest TUF metadata.

#1273 contains additional context.

Release Note

* Updated signature spec with TUF timestamp

@haydentherapper
Update signature spec with timestamp annotation
20abad3 
The timestamp will be used to find a versioned TUF target metadata.
This allows targets to be rotated while still being able to validate
old entries that were signed by previous targets.

Ref sigstore#1273

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

haydentherapper commented Jan 5, 2022
edited
Loading

cc @asraa @bobcallaway

asraa
asraa reviewed Jan 5, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be signed? If not, would just putting the version number of the timestamp be equivalent?

Also -- should we 100% go for doing the timestamp lookup vs holding old fulcio / rekor certs into the current targets metadata to simplify logic?

@asraa
Copy link
Contributor

asraa commented Jan 5, 2022

Should this be signed? If not, would just putting the version number of the timestamp be equivalent?

JK I am wrong, this is not equivalent, the full timestamp contains the signatures on the timestamp.json

@haydentherapper
Copy link
Contributor Author

Should this be signed? If not, would just putting the version number of the timestamp be equivalent?

Yep, since timestamp.json is signed, we can use the versioned root role to verify it and avoid attacks that trick a client into using a different version of the TUF metadata (for example, maybe one of the targets was compromised) to verify the signature.

Also -- should we 100% go for doing the timestamp lookup vs holding old fulcio / rekor certs into the current targets metadata to simplify logic?

I'd prefer to avoid growing targets indefinitely. As discussed offline, this also makes it easier for those who want offline TUF metadata for verifying old signatures where the TUF metadata is no longer hosted.
One benefit of keeping all old data in targets is if we want to mark a target as untrusted, we simply remove it from the list. However, this can be solved separately, as a signed list of untrusted targets.

@dlorenc
Copy link
Member

dlorenc commented Jan 6, 2022

I like this approach! Nice work!

Should we merge this as is or wait until the implementation is ready?

bobcallaway
bobcallaway approved these changes Jan 6, 2022
View reviewed changes
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@haydentherapper
Copy link
Contributor Author

Let's merge now, I'm working on the implementation, it should be ready soon.

@dlorenc dlorenc merged commit f19f4f7 into sigstore:main Jan 6, 2022
@github-actions github-actions bot added this to the v1.5.0 milestone Jan 6, 2022
@haydentherapper haydentherapper mentioned this pull request Feb 8, 2022
Merged
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@haydentherapper @mlieberman85
Update signature spec with timestamp annotation (sigstore#1274)
d1baed2 
The timestamp will be used to find a versioned TUF target metadata.
This allows targets to be rotated while still being able to validate
old entries that were signed by previous targets.

Ref sigstore#1273

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@asraa asraa asraa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.
4 participants
@haydentherapper @asraa @dlorenc @bobcallaway