Skip to content

Verify artifact signing time against all timestamps #1381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
May 16, 2025
Merged

Verify artifact signing time against all timestamps #1381

merged 12 commits into from
May 16, 2025

Conversation

ramonpetgrave64
Copy link
Contributor

Client support for Rekor V2: sigstore-python

Summary

Resolves #1380

Release Note

  • Timestamps: Verify the signature date against the validity period of both the
    Timestamp Authority or the Transperency Service, if either of such timestamps
    are present in the Bundle. We still require at lease one of such timestamps.

Documentation

@ramonpetgrave64
use all verified timestamps
146f85e 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
additional test
830ea64 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
cleanup
17a9716 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
pr backlink
2e93051 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 7, 2025
Open
30 tasks
ramonpetgrave64
ramonpetgrave64 commented May 9, 2025
View reviewed changes
jku
jku requested changes May 12, 2025
View reviewed changes
Copy link
Member

@jku jku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spent some time thinking about whether we really want to require all established times to be within the signing cert lifetime -- it sounds like policy decision -- but in the end agreed with you: I think we can require correctness even if the policy only asks for one established time.

The only request is on the language. I'd like to be exact: Timestamps always come from a TSA. integration time is not a real Timestamp it's just a time.

I think using "established times" as the common term is fine as is spelling all the options out: "timestamps or the log integration time"

@jku
Copy link
Member

jku commented May 12, 2025

The only request is on the language. I'd like to be exact: Timestamps always come from a TSA. integration time is not a real Timestamp it's just a datetime.

I suppose another possibility might be to always refer to "TSA timestamps" when talking about those

ramonpetgrave64 and others added 4 commits May 12, 2025 19:57
@ramonpetgrave64
add test and data for a late timestamp
6642f12 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
better documentation
0375ed2 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
lint
6d9d7a8 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Merge branch 'main' into verify-artifact-signing-time
c6b6981
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 12, 2025
Open
jku
jku reviewed May 13, 2025
View reviewed changes
Copy link
Member

@jku jku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, thanks for figuring out the test.

I'm still flip flopping on whether we should outright fail when any time is outside the certificate validity as in this PR (or if we should just verify we have at least one valid established time, and not care if other times are outside the certificate window)...

jku
jku previously approved these changes May 13, 2025
View reviewed changes
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 13, 2025
Open
@ramonpetgrave64
Merge branch 'main' into verify-artifact-signing-time
c3d70e9 
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 14, 2025
Merged
@ramonpetgrave64
test with missing inclusion promise
f47ef16 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
jku
jku requested changes May 15, 2025
View reviewed changes
Copy link
Member

@jku jku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the intent of the new test but currently what happens is

  1. bundle is constructed
  2. bundle is validated (see Bundle._verify())
  3. test modifies bundle by deleting fields
  4. test runs verify

I don't like how the field deletion bypasses the validation. I think storing the new cases as separate assets would solve this issue

@ramonpetgrave64
edit the fields before instantiating the bundle
c0c44db 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 requested review from jku May 15, 2025 16:12
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 16, 2025
Draft
15 tasks
@jku
Copy link
Member

jku commented May 16, 2025

/gcbrun

@jku jku merged commit 30a74ed into sigstore:main May 16, 2025
22 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku Awaiting requested review from jku

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verifying Signature time when no inclusion promise or integrated time
2 participants
@ramonpetgrave64 @jku