Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_internal/tuf: Use expired Fulcio certificates too #386

Merged
merged 2 commits into from
Jan 5, 2023
Merged

_internal/tuf: Use expired Fulcio certificates too #386

merged 2 commits into from
Jan 5, 2023

Conversation

jku
Copy link
Member

@jku jku commented Jan 5, 2023

Fixes #385

Summary

Currently only "active" Fulcio certificates are used when verifying. However, expired Fulcio certificates may have been active at signing time: We should include them in the "bundle of certificate chains" that is used during verify.

Release Note

  • Included inactive Fulcio certificates in the certificate bundle that is used to verify signing certificate validity

@jku
_internal/tuf: Use expired Fulcio certificates too
93071b6 
Expired Fulcio certificates may have been active at signing time: We
should include them in the "bundle of certificate chains".

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Member Author

jku commented Jan 5, 2023

Oh, forgot to talk about testing:

  • I have manually verified that the third (expired) certificate in the production instance metadata is being downloade and used
  • I have not tried verifying a signature that uses that expired certificate because I have not found one I could use

@di
Copy link
Member

di commented Jan 5, 2023

/gcbrun

@woodruffw
Copy link
Member

woodruffw commented Jan 5, 2023
edited

  • I have not tried verifying a signature that uses that expired certificate because I have not found one I could use

Some of our older sigstore-python releases should have a signing cert that's chained up to that older Fulcio cert. I'll check.

Edit: Hmm, maybe not. I'll check the cosign repo and see if they have a test asset we can crib instead...

woodruffw
woodruffw approved these changes Jan 5, 2023
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM in any case, I'll do a follow-up with a test asset 🙂

@woodruffw
Copy link
Member

/gcbrun

@woodruffw woodruffw added safe to test component:tuf TUF related components component:verification Core verification functionality labels Jan 5, 2023
@woodruffw woodruffw merged commit af7e6ed into sigstore:main Jan 5, 2023
@woodruffw
Copy link
Member

Yeah, I can't find a good asset to test with here -- even the older certificastes I made during testing weren't chained against the "expired" root, but are rather just missing the intermediate CA that was added in ~July.

@di
Copy link
Member

di commented Jan 5, 2023

I didn't look, but I bet you can find an old-enough cert for https://rekor.tlog.dev/?hash=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (the shasum of an empty file)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
component:tuf TUF related components component:verification Core verification functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

_internal/tuf: return also "expired" fulcio certificates
3 participants
@jku @di @woodruffw