asraa
asraa
Looks like Envoy is using C++ URI validations in StsService: https://github.com/envoyproxy/envoy/blob/062c895f499382ae61dead16db2a7e78b9146525/api/envoy/api/v2/core/grpc_service.proto#L94 Config validations throw an unimplemented exception when initializing the server (rather than a controlled a `ProtoValidation` error). https://oss-fuzz.com/testcase-detail/5665272556158976 It...
Signed-off-by: Asra Ali #### Summary Fixes https://github.com/sigstore/rekor/issues/877 See issue for the problem: `rekor verify` didn't work with sharding: If the requested UUID was a sharded Entry UUID (Tree ID +...
**Description** Verification of the inclusion proof relies on the log index and the tree size. Using a virtual index will likely modify the calculation of the inclusion proof, resulting in...
**Description** Add an additional timestmaping type to Rekor. Roughtime is a modern timestamping standard https://blog.cloudflare.com/roughtime/ In addition to supporting RFC 3161 for compatibility (eg https://github.com/sigstore/gitsign/issues/22#issuecomment-1126291036), Rekor could also log Roughtime...
**Description** I'm thinking of rekor sharding, and how it will interact with how we verify rekor entries. Particularly, how do we fetch the correct Rekor Pubs for the shard in...
Signed-off-by: Asra Ali Adds a container type which understands simple signing payloads. This allows upload where the container signed can be indexed in the rekor entry. Adds search by reference...
**Description** This would be a rekor type specifically for container signatures (https://github.com/containers/image/blob/main/docs/containers-signature.5.md). This came up because cosign upload the hash of the entire signed payload, and rekor does not understand...
When verifying SignedNotes, we never check that the loaded public key matches the hash. I think the only purpose is for easy lookup and early rejection in case none of...
**Description** This is for getting bundling (https://github.com/sigstore/cosign/issues/181) working. When cosign uploads the {signature, public key, payload} to rekor, we need rekor to provide proof that the entry is in the...
This tracking issue is to implement [TAP 4](https://github.com/theupdateframework/taps/blob/master/tap4.md): Multiple repository consensus on entrusted targets. To implement this, I propose creating a NEW type `MultiRepositoryClient` which takes a `map.json` file. It...