Skip to content

added public key check for SCTs #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 17, 2025
Merged

added public key check for SCTs #428

merged 2 commits into from
Mar 17, 2025

Conversation

Horiodino
Copy link
Contributor

Summary

return err when the bundle is signed with a public key with Scts
fixes: #403

Release Note

Documentation

@Horiodino Horiodino requested a review from a team as a code owner March 9, 2025 12:05
haydentherapper
haydentherapper reviewed Mar 10, 2025
View reviewed changes
pkg/verify/signed_entity.go Outdated
@@ -515,6 +515,18 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V
return nil, fmt.Errorf("failed to build policy: %w", err)
}

// Early check: If SCTs are required, ensure the bundle is certificate-signed not public key-signed
if v.config.requireSCTs {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do this in the construction of SignedEntityVerifier?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want this check in SignedEntityVerifier - see #428 (review)

Copy link
Contributor

@haydentherapper haydentherapper Mar 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that this implementation of binding SignedEntity and SignedEntityVerifier together isn't what we want to do. I was thinking we could implement this check by checking for a public key in the trust root material, specifically if there is a TrustedPublicKeyMaterial verifier. Though I recognize now this might not be straightforward - if there are multiple verifiers for both keys and certificates, it's only at verification time for the SignedEntity we will know if it is incompatible with the verifier policy.

so tldr - let's move it to Verify() like you suggested

@Horiodino Horiodino force-pushed the Verifier_does_not_enforce_WithSignedCertificateTimestamps branch from 1ba2edb to 361cc17 Compare March 10, 2025 10:38
steiza
steiza requested changes Mar 10, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to have the concept of a SignedEntityVerifier be separate from a SignedEntity.

Imagine you're running sigstore-go on a server. You have your policy for what you consider valid or not, which is what you use to construct your SignedEntityVerifier. But at that time, you don't yet have a bundle you're verifying. Then you (re)use that verifier many, many times to verify various user-submitted SignedEntitys. This isn't hypothetical - this is exactly how npm provenance works on the server side.

That said, it does seem like requireSCTs is ignored if your bundle refers to a public key instead of having a signing certificate. Instead of this approach, I think we could have an if statement in Verify that checks if you have a public key but said you require SCTs?

@Horiodino Horiodino force-pushed the Verifier_does_not_enforce_WithSignedCertificateTimestamps branch from 1dcd863 to 56c128d Compare March 11, 2025 12:15
steiza
steiza reviewed Mar 13, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense. Should we add a test to pkg/verify/signed_entity_test.go?

@Horiodino
added test case
5b8b666 
Signed-off-by: Horiodino <[email protected]>
steiza
steiza approved these changes Mar 17, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - thanks!

@steiza steiza merged commit 8672f69 into sigstore:main Mar 17, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@steiza steiza steiza approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verifier does not enforce WithSignedCertificateTimestamps when the bundle is signed with a public key
3 participants
@Horiodino @steiza @haydentherapper