Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify tlog entries using the Rekor public keys from TUF #1467

Closed
wants to merge 1 commit into from
Closed

Verify tlog entries using the Rekor public keys from TUF #1467

wants to merge 1 commit into from

Conversation

haydentherapper
Copy link
Contributor

Typical verification used VerifyBundle, which called
GetRekorKeys, which fetches keys from the TUF repo.
If the bundle was not present or for a specific error
when a duplicate log entry was present, then the tlog
entry would be verified using a public key fetched from
Rekor's API. This key was not verified using TUF metadata.

This change simply removes the API call and uses Rekor
public keys from the TUF repo.

Tested locally by not including the Rekor bundle in
the OCI signature, which will hit the code path to
fetch the entry from the log.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes

Release Note

Switched verifying non-bundled transparency log entries to using keys from the TUF repository

@haydentherapper
Verify tlog entries using the Rekor public keys from TUF
0be8a11 
Typical verification used VerifyBundle, which called
GetRekorKeys, which fetches keys from the TUF repo.
If the bundle was not present or for a specific error
when a duplicate log entry was present, then the tlog
entry would be verified using a public key fetched from
Rekor's API. This key was not verified using TUF metadata.

This change simply removes the API call and uses Rekor
public keys from the TUF repo.

Tested locally by not including the Rekor bundle in
the OCI signature, which will hit the code path to
fetch the entry from the log.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

cc @asraa

@haydentherapper haydentherapper mentioned this pull request Feb 15, 2022
Merged
@haydentherapper
Copy link
Contributor Author

Merged in another PR

@haydentherapper haydentherapper deleted the rekor-pubkeys branch February 16, 2022 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haydentherapper @dlorenc @asraa