Skip to content

Sign and verify with rekorv2 #1431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Sign and verify with rekorv2 #1431

wants to merge 5 commits into from

Conversation

jku
Copy link
Member

@jku jku commented Jun 9, 2025

Start signing and verifying with rekor v2 (when signingconfig / trustedroot instruct to do so).

Status:

Contents:

  • SigningConfig now returns RekorV2Clients when appropriate
  • tests:
    • SigningConfig test are amended to test for different rekor clients
    • A simple rekorv2 signing test is added
    • a test asset is added for verifying rekorv2 signatures, this is used in an existing test
  • Verifier: verify_dsse() and verify_artifact() now handle v002 entry types
  • A trustconfig for signing with staging rekor v2 is added to assets: It's not used in tests but is handy for manually signing with --trust-config test/assets/trust_config/staging-but-sign-with-rekor-v2.json

TODO:

  • Verifier contains a bit too much manual protobuf building: should clean that up
  • Good ideas for better testing are welcome

jku and others added 5 commits June 9, 2025 12:10
@jku
trust: Start returning RekorV2Client from signingconfig
179b53c 
If signingconfig contains rekor v2, let's start preferring it

Make sure we test the status quo (no rekor v2 in signing config)
and the case where there is a rekor v2 in signing config.

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
test: Add trust config for signing with staging rekor v2
2c8e5a5 
This is current staging trust root and signing config, with just the
rekor v2 instance added to signing config

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku @ramonpetgrave64
verify: Initial support for rekor v2 verify
c5a2b15 
This code is originally from Ramon, updated by Jussi

$ TRUSTCONFIG=test/assets/trust_config/staging-but-sign-with-rekor-v2.json
$ sigstore --trust-config $TRUSTCONFIG sign README.md
$ sigstore --staging verify identity \
     --cert-identity [email protected] \
     --cert-oidc-issuer https://github.com/login/oauth
     README.md
OK: README.md

Co-authored-by: Ramon Petgrave <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
verifier: Fix lint issues
0287e0a 
This makes the code quite a bit uglier: we will likely want to
refactor...

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
tests: Add tests for signing and verifying rekorv2 bundles
08c89bb 
These are fairly basic for now.

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
Copy link
Member Author

jku commented Jun 9, 2025

hmm I will do this on a origin branch instead to get all the tests running

@jku jku closed this Jun 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jku