New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verification: Return an STH in a Verification response #988
Comments
Wrote up a doc with more details on offline and online verification - https://docs.google.com/document/d/1_Ykbb1n_rXQjZIairCBKj6ZTpvw5s19fjpwGTksGCbI/edit# (sigstore-dev has access) |
Task: Update verification functions once the STH is returned |
The plan for changes:
The last step is necessary for gossiping. We can't sign a new tree head - Otherwise the tree head signatures would differ between an inclusion proof's checkpoint and GetLogInfo's checkpoint. @asraa @bobcallaway @priyawadhwa Please review |
That makes logical sense to me. Note that I think some languages JSON decoders may have more strict validation than Go, and that it would be a breaking change and we should publish a release for it.
Like Rekor server should do that? Can we table that for later to make this more incremental?
Also, can we table that for later? Let's just make this issue on changing return response |
Yes, we can fix these incrementally, but I think to fully close this issue, we will need to persist the latest checkpoint. Otherwise, there will be no way for a client to get quorum with other witnesses, given the STH from an inclusion proof. |
Persistance can be punted. A client with a checkpoint can't ask a witness if it's seen the checkpoint with the current model for Rekor anyways, since the checkpoints update so frequently. Just some thoughts for if we do this, a way to avoid writing to a database: We only need to persist the latest, so we can just store it on the global |
This associates a root hash in an inclusion proof with a signed commitment from the log. Previously, without this included, there was no connection between an inclusion proof and the log. An inclusion proof and checkpoint can be an alternative proof of inclusion instead of a SET. Ref sigstore#988 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
This associates a root hash in an inclusion proof with a signed commitment from the log. Previously, without this included, there was no connection between an inclusion proof and the log. An inclusion proof and checkpoint can be an alternative proof of inclusion instead of a SET. Ref sigstore#988 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
This associates a root hash in an inclusion proof with a signed commitment from the log. Previously, without this included, there was no connection between an inclusion proof and the log. An inclusion proof and checkpoint can be an alternative proof of inclusion instead of a SET. Ref sigstore#988 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
* Include checkpoint (STH) in entry upload and retrieve responses This associates a root hash in an inclusion proof with a signed commitment from the log. Previously, without this included, there was no connection between an inclusion proof and the log. An inclusion proof and checkpoint can be an alternative proof of inclusion instead of a SET. Ref #988 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Refactor with common implementation for creating signed checkpoint Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Update client to verify checkpoint signature Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Address linter Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Add checkpoint verification to VerifyLogEntry Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@asraa I believe this can be closed now? |
Agree! |
Thanks! Going to open up another non-blocking issue for figuring out the story around returning a consistent checkpoint. |
Description
I propose adding an STH in a rekor entry
Verification
.Right now, a full verification on an entry would do the following:
See impl here:
rekor/pkg/verify/verify.go
Line 192 in 3ee0810
Note that most of this can be done with the returned info in an entry LogEntry EXCEPT 2. That requires a Rekor client to fetch
LogInfo
to retrieved an STH and then also a consistency proof from the root hash of the inclusion proof to the STH. Instead, we should return the STH for the root hash of the inclusion proof. Overall, the struct would look something likealternatively we can also place the SignedTreeHead checkpoint inside the inclusion proof, and remove the roothash/treesize fields and consume them from the sth.
Related #986
cc @haydentherapper @bobcallaway
Version
The text was updated successfully, but these errors were encountered: