Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API #2362

Merged
merged 2 commits into from
Oct 27, 2022
Merged

verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API #2362

merged 2 commits into from
Oct 27, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Oct 19, 2022
edited

Signed-off-by: Asra Ali asraa@google.com

Scaffolding no longer requires it.

If user's still depend on this, they can use hte SIGSTORE_REKOR_PUBLIC_KEY and directly curl the rekor API

Related #2122

Summary

Release Note

* fix!: Breaking change. This removes the insecure environment variable `SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY` that is used to fetch the public key from the API of the configured Rekor URL. Use `SIGSTORE_REKOR_PUBLIC_KEY` to configure a custom rekor public key.
* fix!: Breaking change: `GetRekorPubs` no longer requires a rekor client. Rekor public keys are no longer fetched from the Rekor API directly when `SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY` is enabled.

Documentation

@asraa asraa requested a review from vaikas October 19, 2022 20:14
@asraa
Copy link
Contributor Author

asraa commented Oct 19, 2022

As a follow-up I'd still like to move the RekorPublicKeys to part of Sign/Verification options like Fulcio Roots are. This is generally tough, I always got stuck, but we'll see. That way GetRekorPubs is not called internally in the sign/verify flows and users can configure it.

@codecov-commenter
Copy link

codecov-commenter commented Oct 19, 2022
edited

Codecov Report

Merging #2362 (b45a4f3) into main (32f6f1a) will increase coverage by 0.04%.
The diff coverage is 77.77%.

@@            Coverage Diff             @@
##             main    #2362      +/-   ##
==========================================
+ Coverage   30.19%   30.24%   +0.04%     
==========================================
  Files         136      136              
  Lines        8432     8416      -16     
==========================================
- Hits         2546     2545       -1     
+ Misses       5555     5541      -14     
+ Partials      331      330       -1
Impacted Files Coverage Δ
pkg/cosign/env/env.go 88.88% <ø> (ø)
pkg/cosign/tlog.go 40.06% <50.00%> (+1.62%) ⬆️
cmd/cosign/cli/verify/verify_blob.go 46.41% <100.00%> (ø)
pkg/cosign/verify.go 34.13% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

znewman01
znewman01 reviewed Oct 19, 2022
View reviewed changes
pkg/cosign/tlog.go Outdated Show resolved Hide resolved
pkg/cosign/tlog.go Outdated Show resolved Hide resolved
znewman01
znewman01 previously approved these changes Oct 20, 2022
View reviewed changes
@haydentherapper
Copy link
Contributor

Yay!

@asraa
verify: using a key from a rekor instance is not needed
932d1e6 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
make arg unused
d9a6a88 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa asraa force-pushed the remove-rekor-client-trust-key branch from 60d3122 to d9a6a88 Compare October 26, 2022 18:23
@asraa
Copy link
Contributor Author

asraa commented Oct 26, 2022

I think the CI failure was flakey: but rebased and crossing my fingers!

@asraa
Copy link
Contributor Author

asraa commented Oct 27, 2022

If we make a v2 branch I'll remove the unused param there. Merging for now.

@asraa asraa merged commit ca0959a into sigstore:main Oct 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@znewman01 znewman01 znewman01 left review comments

@dlorenc dlorenc dlorenc approved these changes

@hectorj2f hectorj2f hectorj2f approved these changes

@vaikas vaikas Awaiting requested review from vaikas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@asraa @codecov-commenter @haydentherapper @znewman01 @dlorenc @hectorj2f