Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify entry signatures #146

Merged
merged 1 commit into from
Mar 28, 2025
Merged

Verify entry signatures #146

merged 1 commit into from
Mar 28, 2025
+1,549 −32

Conversation

cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Mar 25, 2025
edited
Loading

This copies in in parts of github.com/sigstore/rekor/pkg/pki to help with parsing the public key and checking the signature.

Fixes #10

Summary

Release Note

Documentation

@cmurphy cmurphy force-pushed the entry-signatures branch 3 times, most recently from beb3b54 to 8a922d0 Compare March 26, 2025 22:33
@cmurphy cmurphy marked this pull request as ready for review March 26, 2025 22:37
@cmurphy cmurphy requested review from a team as code owners March 26, 2025 22:37
@codecov Codecov
Copy link

codecov bot commented Mar 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 38.80208% with 235 lines in your changes missing coverage. Please review.

Project coverage is 31.32%. Comparing base (13271f9) to head (5bbc4cc).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
pkg/pki/x509/testutils/cert_test_utils.go 0.00% 141 Missing ⚠️
pkg/pki/x509/x509.go 61.39% 48 Missing and 13 partials ⚠️
pkg/types/dsse/dsse.go 68.51% 11 Missing and 6 partials ⚠️
pkg/types/hashedrekord/hashedrekord.go 48.38% 12 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #146      +/-   ##
==========================================
+ Coverage   26.84%   31.32%   +4.47%     
==========================================
  Files          29       35       +6     
  Lines        1892     2442     +550     
==========================================
+ Hits          508      765     +257     
- Misses       1346     1606     +260     
- Partials       38       71      +33

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cmurphy
Copy link
Contributor Author

cmurphy commented Mar 26, 2025

Can rebase on #144 if that goes in first

jku
jku reviewed Mar 27, 2025
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems ok to me (one question in code though):

  • please decide merge order with @loosebazooka
  • let's have a good look at both test coverage (with an eye for more than code line coverage) and potentially simplifying these critical verification methods after these big PRs are in

@loosebazooka
Copy link
Member

I can merge last. I'd like to talk through the new protos in our sync today

loosebazooka
loosebazooka reviewed Mar 27, 2025
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine to me if we're mostly just copying over from rekor

pkg/pki/x509/x509.go Outdated
"io"
"strings"

"github.com/asaskevich/govalidator"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this hasn't had a release since 2021, maybe that's okay? It doesn't look abandoned.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I can remove this, it looks like it's only used to verify EmailAddresses and there's a note saying that was deprecated https://github.com/sigstore/rekor/blob/73dba7c07d0747f00119417fc0ff994a393f97b2/pkg/pki/pki.go#L28

@cmurphy
Verify entry signatures

Verified

This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
Loading
Loading status checks…
5bbc4cc 
This copies in in parts of github.com/sigstore/rekor/pkg/pki to help
with parsing the public key and checking the signature.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@cmurphy
Copy link
Contributor Author

cmurphy commented Mar 27, 2025

Removed the deprecated x509 interface method and added tests for x.509 verifiers.

@cmurphy cmurphy mentioned this pull request Mar 27, 2025
Open
@haydentherapper
Copy link
Contributor

Quick comment, this looks good. There's a few things I'd like to change in the copied files, such as cleaning up hardcoded sha256 refs and dropping support for cert chains, but I'd rather this get merged with minimal changes to the copied files and we follow up later. Feel free to create an issue and assign it to me for following up.

@cmurphy
Copy link
Contributor Author

cmurphy commented Mar 28, 2025

@haydentherapper #156

@cmurphy cmurphy merged commit 32e3c56 into sigstore:main Mar 28, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka

@jku jku

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add entry verifiers (copy from Rekor v1)
4 participants
@cmurphy @loosebazooka @haydentherapper @jku