Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use bundle log ID to find verification key #1748

Merged
merged 1 commit into from Apr 13, 2022
Merged

Use bundle log ID to find verification key #1748

merged 1 commit into from Apr 13, 2022

Conversation

haydentherapper
Copy link
Contributor

Instead of iterating over all log verification keys, we use the log ID
in the bundle to find the correct key. This avoids iterating over all
trusted keys.

Note that the log ID is not signed. If the offline bundle is manipulated
so that the log ID does not resolve to a valid key, this will not result
in a denial of service attack, because cosign will fall back to fetching
the entry from the online log.

The equivalent change for CT entry verification has been made in another
PR.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes

Release Note

@haydentherapper
Use bundle log ID to find verification key
cb8ac86 
Instead of iterating over all log verification keys, we use the log ID
in the bundle to find the correct key. This avoids iterating over all
trusted keys.

Note that the log ID is not signed. If the offline bundle is manipulated
so that the log ID does not resolve to a valid key, this will not result
in a denial of service attack, because cosign will fall back to fetching
the entry from the online log.

The equivalent change for CT entry verification has been made in another
PR.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

cc @asraa

@dlorenc dlorenc merged commit 80fe5a3 into sigstore:main Apr 13, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 13, 2022
@haydentherapper haydentherapper deleted the verify-rekor-one-key branch April 13, 2022 02:05
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@haydentherapper @mlieberman85
Use bundle log ID to find verification key (sigstore#1748)
b98995b 
Instead of iterating over all log verification keys, we use the log ID
in the bundle to find the correct key. This avoids iterating over all
trusted keys.

Note that the log ID is not signed. If the offline bundle is manipulated
so that the log ID does not resolve to a valid key, this will not result
in a denial of service attack, because cosign will fall back to fetching
the entry from the online log.

The equivalent change for CT entry verification has been made in another
PR.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@haydentherapper @dlorenc