Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configurable algorithms in verification #76

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions cmd/sigstore-go/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ package main

import (
"crypto"
"crypto/ecdsa"
"crypto/x509"
"encoding/hex"
"encoding/json"
Expand Down Expand Up @@ -154,7 +153,11 @@ func run() error {
if err != nil {
return err
}
trustedMaterial = append(trustedMaterial, trustedPublicKeyMaterial(pubKey))
hashFunc, err := verify.GetHashForDigestAlgorithm(*artifactDigestAlgorithm)
if err != nil {
return err
}
trustedMaterial = append(trustedMaterial, trustedPublicKeyMaterial(pubKey, hashFunc))
}

if len(trustedMaterial) == 0 {
Expand Down Expand Up @@ -205,9 +208,9 @@ func (*nonExpiringVerifier) ValidAtTime(_ time.Time) bool {
return true
}

func trustedPublicKeyMaterial(pk crypto.PublicKey) *root.TrustedPublicKeyMaterial {
func trustedPublicKeyMaterial(pk crypto.PublicKey, hash crypto.Hash) *root.TrustedPublicKeyMaterial {
return root.NewTrustedPublicKeyMaterial(func(string) (root.TimeConstrainedVerifier, error) {
verifier, err := signature.LoadECDSAVerifier(pk.(*ecdsa.PublicKey), crypto.SHA256)
verifier, err := signature.LoadVerifier(pk, hash)
if err != nil {
return nil, err
}
Expand Down
35 changes: 18 additions & 17 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ go 1.21
require (
github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7
github.com/go-openapi/runtime v0.26.2
github.com/go-openapi/runtime v0.27.1
github.com/go-openapi/strfmt v0.22.0
github.com/go-openapi/swag v0.22.7
github.com/go-openapi/swag v0.22.9
github.com/google/certificate-transparency-go v1.1.7
github.com/in-toto/in-toto-golang v0.9.0
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/protobuf-specs v0.2.1
github.com/sigstore/rekor v1.3.4
github.com/sigstore/sigstore v1.8.0
github.com/sigstore/rekor v1.3.5-0.20240129120212-63aa08fd13eb
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Pin to a version once a new Rekor release is cut.

github.com/sigstore/sigstore v1.8.1
github.com/sigstore/timestamp-authority v1.2.1
github.com/stretchr/testify v1.8.4
github.com/theupdateframework/go-tuf v0.7.0
Expand All @@ -28,15 +28,15 @@ require (
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/spec v0.20.13 // indirect
github.com/go-openapi/validate v0.22.3 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/validate v0.22.6 // indirect
github.com/google/go-containerregistry v0.17.0 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
Expand Down Expand Up @@ -69,21 +69,22 @@ require (
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel v1.21.0 // indirect
go.opentelemetry.io/otel/metric v1.21.0 // indirect
go.opentelemetry.io/otel/trace v1.21.0 // indirect
go.opentelemetry.io/otel v1.22.0 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.17.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
)
Loading