Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add comment that integration time is only trustworthy with an SET #442

Merged
merged 1 commit into from
Dec 10, 2024
Merged

Add comment that integration time is only trustworthy with an SET #442

merged 1 commit into from
Dec 10, 2024

Conversation

haydentherapper
Copy link
Collaborator

This was something that we ran into in sigstore-go, that the timestamp was used regardless if the signature over the timestamp was verified. This comment is meant to couple these fields together.

Summary

Release Note

Documentation

@haydentherapper
Add comment that integration time is only trustworthy with an SET
2c9324a 
This was something that we ran into in sigstore-go, that the timestamp was
used regardless if the signature over the timestamp was verified. This
comment is meant to couple these fields together.

Signed-off-by: Hayden Blauzvern <[email protected]>
@woodruffw
Copy link
Member

LGTM, although out of curiosity: does the signed checkpoint count as an alternative source of time? In other words, is the requirement:

inclusion_promise OR rfc3161_timestamp

or is it:

inclusion_promise OR signed_checkpoint OR rfc3161_timestamp

I ask because we might have a similar gap in sigstore-python: we require a signed checkpoint and verify the inclusion promise if the latter is present, but the latter is not currently mandatory.

(I think the ambiguity here originally came from the fact that signed checkpoints included timestamps in their ancillary data, but I'm not clear on whether this is still true...)

@haydentherapper
Copy link
Collaborator Author

It is inclusion_promise OR rfc3161_timestamp. A signed_checkpoint is not sufficient because it has no timestamp (and you're right, it used to, but that got removed because that timestamp was unrelated to time of inclusion).

In sigstore-go, we have verification of Rekor-related metadata and verification of RFC3161 timestamps. For the former, we a) verify an inclusion proof and signed checkpoint if present, b) verify an inclusion promise if present AND return integrated_time. We then verify RFC 3161 timestamps. Then we gather all verified timestamps together and try to verify the certificate with those timestamps.

@woodruffw
Copy link
Member

Got it, thanks! This change makes sense to me, then, and it sounds like I need to strengthen the inclusion promise requirement within sigstore-python.

@woodruffw woodruffw merged commit ad0a758 into sigstore:main Dec 10, 2024
24 checks passed
@haydentherapper haydentherapper deleted the trust-set branch December 10, 2024 21:17
@woodruffw woodruffw mentioned this pull request Dec 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@kommendorkapten kommendorkapten Awaiting requested review from kommendorkapten

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@haydentherapper @woodruffw