-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify certificate validity with only current time #277
base: main
Are you sure you want to change the base?
Conversation
Using a certificate's NBF will always pass the time verification. We should be using only the current time to try to verify a certificate's validity. This is likely to only work with long-lived certificates or where verification happens immediately after signing. Fixes sigstore#276 Signed-off-by: Hayden Blauzvern <[email protected]>
@woodruffw Do you know if we have any conformance tests around verifying certificates against current time? |
Well, right after I wrote that, a conformance test failed, so I guess yes. |
I think the issue is we're conflating two things in sigstore-go - verification of the certificate and that a signing event occurred when the certificate is valid. In Cosign, the way this was dealt with is that the certificate is always verified with I think we should do the same here. This mirrors what sigstore-python does (I assume other clients as well given this is in the conformance suite) - sigstore-python uses NBF to verify the certificate with a later check against provided timestamps. |
The other question is what we want this fallback behavior to be. If we require current time to be used as a fallback, that would mean that you MUST provide a signed timestamp for short lived certs, which I think is the behavior we want. If the fallback would use NBF, then we are effectively skipping the timestamp check for a certificate - we do say this is an unsafe behavior as per the policy flag. I’d like to hear more from clients if we want to have this - it seems only useful for testing, which I would rather not have policy flags for just that. |
Another question - how should conformance pass when given only a signature and certificate? I guess all clients are using NBF, because otherwise it wouldn’t be possible to verify a short lived cert? |
I don't think we do yet, unfortunately -- I believe everything in the conformance suite currently verifies using the signed time source when present (or the client is expected to retrieve it, if not present). But the latter isn't enforceable, so in theory some clients could be allowing verification to succeed based on NBF being correct.
At least for sigstore-python, we currently perform an online lookup if we're given only detached materials, so we don't use just the |
In chatting with some other clients and thinking more on this, there are a few cases to handle:
For the first and second, I think the right solution is to require a signed timestamp. For conformance tests, either
For the third, this is where I think we should fallback to current time when no time is provided. Either we could remove @steiza @codysoyland is there a use case for the |
This is great @haydentherapper! I'm not aware of any use cases for Replacing |
There's a lot here! Let me try to walk through the Sigstore client spec, conformance tests, and then we can talk about what we should do here. From the Sigstore client spec, I think there was some misunderstanding when we were implementing sigstore-go as to what was meant under "Establishing a Time for the Signature":
At the very least, we should probably call out here what to do if there's no timestamp from the timestamping service or the transparency service. Some options for sigstore-go to consider:
It's not clear to me what the next step is here. Maybe we should agree on what the behavior should be, make any necessary updates to the client specification and / or conformance tests, and then update the client behavior? I'm leaning towards "fail", although it'll make sigstore-go harder to use with detached materials, which will exist for a while even as we move away from them. I think we can work around it by ensuring cosign does online transparency service queries when constructing a bundle to verify. |
Big +1 for this approach: this is what we settled on for sigstore-python, as a compromise between loosening the client's default timeliness guarantees and requiring an online lookup as part of verification for detached materials. |
This is interesting, I need to refresh my memory on the client spec. But this is the scenario when neither a RFC 3161 signed timestamp nor a SET exists. I'm tempted to update the client spec to explicitly state that the verification should fail. As the client spec should define the behaviour of a default sigstore client. But that does not mean that sigstore-go or other client's does not allow for policies like |
It sounds like we're all in agreement! So to confirm:
If we did want to keep detached conformance testing, what about if we update the conformance test to also support providing a proof as detached material? Cosign already persists this. If online queries are only for conformance testing, that's fine-ish (this is what sigstore-python does, as William told me), but a) we should strongly discourage online lookups and I'd love to just remove online lookups from clients entirely, and b) tile-based logs remove the ability to query by hash, so we'll need to move towards proofs as detached material regardless (or remove detached conformance tests, so this would be moot). |
I'd rather just remove detached materials from the conformance tests. If we add a flag to https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md#verify to provide a proof separately, then all the clients have to update in order to support that new flag. Let's start moving away from detached materials! |
Using a certificate's NBF will always pass the time verification. We should be using only the current time to try to verify a certificate's validity. This is likely to only work with long-lived certificates or where verification happens immediately after signing.
Fixes #276
Summary
Release Note
Documentation