Skip to content

Use rekor signedEntryTimestamp if present #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 30, 2021
Merged

Use rekor signedEntryTimestamp if present #285

merged 10 commits into from
Apr 30, 2021

Conversation

priyawadhwa
Copy link
Contributor

If the SET is present, we store the logEntry as a bundle annotation. On verify, we first try to verify it against the rekor public key (not experimental). if that fails, then we hit the tlog.

Starts to address #281, still need to add the --verify-inclusion flag to force checking the tlog

@priyawadhwa priyawadhwa force-pushed the bundle branch 2 times, most recently from 74741b9 to f5e00d5 Compare April 28, 2021 22:15
Fix integration test
53dd343 
Signed-off-by: Priya Wadhwa <[email protected]>
Priya Wadhwa added 2 commits April 28, 2021 16:35
Allow passing in additional annotations to check for in deduper
5e9b248 
The TestTlog test was failing because it was going through this flow:
1. Sign and verify image
2. Turn on experimental feature
3. Sign and verify image again

The second verification was failing with bundling because the deduper thought the image already existed, even though we were trying to tack on a new bundle annotation.

This way, we can pass in extra annotations we want the deduper to check for before deciding the signature alrady exists.

Signed-off-by: Priya Wadhwa <[email protected]>
Update spec with details about bundle
6ff91f3 
Signed-off-by: Priya Wadhwa <[email protected]>
dlorenc
dlorenc reviewed Apr 29, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so cool.

dlorenc
dlorenc reviewed Apr 29, 2021
View reviewed changes
Priya Wadhwa added 2 commits April 29, 2021 10:21
Address code review comments
acdbe83 
- Only store SET and canonicalized payload in the bundle annotation
- Add more bundle details to spec
- Add details around updating the rekor public key

Signed-off-by: Priya Wadhwa <[email protected]>
Include info about offline verification in output
5dfa59c 
Signed-off-by: Priya Wadhwa <[email protected]>
dekkagaijin
dekkagaijin previously requested changes Apr 29, 2021
View reviewed changes
Fix merge conflict
15c4907 
Signed-off-by: Priya Wadhwa <[email protected]>
dlorenc
dlorenc reviewed Apr 29, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit on the opts struct.

@dlorenc
Copy link
Member

dlorenc commented Apr 30, 2021

Ehl gee tee emm!

@priyawadhwa priyawadhwa merged commit a2bf758 into sigstore:main Apr 30, 2021
@priyawadhwa priyawadhwa deleted the bundle branch April 30, 2021 00:42
tommyd450 pushed a commit to tommyd450/cosign that referenced this pull request Apr 17, 2025
@JasonPowr
Merge pull request sigstore#285 from securesign/update-to-upstream
fcfe9e5 
Update to upstream - v2.4.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dekkagaijin dekkagaijin dekkagaijin left review comments

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@priyawadhwa @dlorenc @dekkagaijin