-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_internal/tuf: Use expired Fulcio certificates too #386
Conversation
Expired Fulcio certificates may have been active at signing time: We should include them in the "bundle of certificate chains". Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Oh, forgot to talk about testing:
|
/gcbrun |
Some of our older Edit: Hmm, maybe not. I'll check the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in any case, I'll do a follow-up with a test asset 🙂
/gcbrun |
Yeah, I can't find a good asset to test with here -- even the older certificastes I made during testing weren't chained against the "expired" root, but are rather just missing the intermediate CA that was added in ~July. |
I didn't look, but I bet you can find an old-enough cert for https://rekor.tlog.dev/?hash=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (the shasum of an empty file) |
Fixes #385
Summary
Currently only "active" Fulcio certificates are used when verifying. However, expired Fulcio certificates may have been active at signing time: We should include them in the "bundle of certificate chains" that is used during verify.
Release Note