improve KindVersion compatibility #1370
Conversation
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This reverts commit 79a6d31. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
There was a problem hiding this comment.
Can you confirm I've understood correctly: we have two ways to deserialize some sort of log entry:
_from_response()that deserializes the rekor v1 response (that is not an actual v1.TransparencyLogEntry) while signing_from_dict_rekor()deserializer for actual v1.TransparencyLogEntry, currently used by verification when parsing a bundle
And you want to use _from_dict_rekor() to also parse the responses from rekor v2 when signing (because now the response is an actual v1.TransparencyLogEntry)
The changes are required because previously kindversion was only parsed when serializing:
- in rekor v1 response only canonicalized_body contains the kindversion?
- with rekor v2, you want to get kindversion from v1.TransparencyLogEntry -- I think that makes sense since that way you don't have to parse the canonicalized body before you know what kind it is?
This seems to make sense, there is one part here I don't understand:
In rekor V2, we may not be including the KindVersion in the "canonicalized body"
I didn't think this is possible: don't the log witnesses operate only with canonicalized body so need the kindversion there?
|
@jku I checked and with these two patches, KindVersion is now in the canonicalized_body for Rerkor V2. Still the new canonicalized body has a different layout in rekorV2, so I think this patch is simpler. |
There was a problem hiding this comment.
I had another look:
- I realized why kindVersion looks weird here: this PR adds a betterproto type (KindVersion) into LogEntry: this feels against the design since otherwise LogEntry is a "native" type and does not use betterproto... I suppose that's fine. William as original author might have opinions?
- It's a bit odd that we go through the trouble of handling KindVersion but then never use it to validate canonical body in any way... but that validation currently would belong in
Verifier.verify_*(since we're avoiding parsing canonical body before that) so maybe it's not part of this PR
I'm willing to approve this but would appreciate another opinion.
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
|
Sorry for the delay on my end!
Yeah, I think I would prefer to not have a betterproto type become part of the public API here -- we've mostly successfully avoided exposing the betterproto types, both for stability (we don't consider them stable) and idiomatic reasons (exposing a foreign type through a library's API is usually not recommended). I suppose we could address that by making it private for now ( |
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
|
@woodruffw Changed to Yes, @jku's changes for the singing_config will inform which version of rekor to use. "rekorTlogUrls": [
{
"url": "https://rekor.sigstage.dev",
"majorApiVersion": 1,
"validFor": {
"start": "2021-01-12T11:53:27Z"
}
}
],The shape of the response is also different in v2: It will be an actual TLE. So it's my intention to use The response will be a
[`TransparencyLogEntry` message](https://github.com/sigstore/protobuf-specs/blob/5296f13d62e7fad428581d969f664c30cc52f549/protos/sigstore_rekor.proto#L94),
which should be persisted in a bundle (example at the bottom of this doc).
Clients no longer need to transform the Rekor response into a `TLE` message to store in the bundle. |
I think William is also asking if we know which rekor version created the entry in the bundle that we are parsing and validating during verification, and I don't think we do with current rekor design... However, after flip-flopping a few times on the TLE versioning I believe the current plan (sigstore/rekor-tiles#255) is that the "canonical body" remains compatible (just with fewer types) and this means we should be able to deserialize a TLE safely with a single code path regardless of the source as long as we're careful -- it's not trivial but also does not seem unfeasible. WRT removing v1 support:
|
|
Yes, so far the plan is to also have the KindVersion information in the reponse's inner canonicaliedBody, which will also be stored in the Bundle. Rekor V2 will be using dsse v0.0.2 and hashedrekord v0.0.2, while rekorV1 still only supports v0.0.1 of both kinds. |
There was a problem hiding this comment.
@woodruffw I'll leave this for you since you requested changes but it seems sensible to me.
I would like us to fail in an understandable way when we see unsupported kindVersions (see e.g. #1384)... but so far LogEntry has been agnostic about kindVersions and the canonical body, and maybe that makes sense: We could do a followup PR to make Bundle._verify() check that KindVersion has values the bundle can work with?
I think this is not needed: the only real changes are:
everything else is something we should already have prepared for in v1... but maybe hadn't. |
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
|
@woodruffw , please take a look |
|
/gcbrun |
Client support for Rekor V2: sigstore-python
Resolves #1369
Summary
_from_response()to parse theKindVersionfrom the responses canonicalized jsonbodyand cache it._from_dict_rekor()and_to_rekor()to store and reuse the cachedKindVersion.Release Note
LogEntry.kind_version, which is now parsed earlier upon receipt from the rekor API,either from the root of the response, or from the reponse's inner base64-encoded JSON
body.Documentation
None