cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Timestamp authority response verification during signing

Open Hayden-IO opened this issue 3 years ago • 6 comments

Description

We should verify the response from the timestamp authority when it's received, as per RFC 3161:

Upon receiving the response (which is or includes a TimeStampResp
   that normally contains a TimeStampToken (TST), as defined below), the
   requesting entity SHALL verify the status error returned in the
   response and if no error is present it SHALL verify the various
   fields contained in the TimeStampToken and the validity of the
   digital signature of the TimeStampToken.

We'll need to add the timestamp-cert-chain flag for signing.

Hayden-IO avatar Nov 28 '22 22:11 Hayden-IO

+1 overall

-1 to the name timestamp-cert-chain for the reasons I describe in https://github.com/sigstore/cosign/issues/2472

znewman01 avatar Nov 30 '22 21:11 znewman01

We can refactor that. This flag will also be unnecessary if you ship the TSA trust roots with TUF.

Hayden-IO avatar Nov 30 '22 21:11 Hayden-IO

@haydentherapper and I discussed this; we decided go with --timestamp-cert-chain for now, then rename both this and --cert-chain as part of #2472.

znewman01 avatar Jan 13 '23 20:01 znewman01

@znewman01 I remember we initially used --timestamp-cert-chain but we recently renamed to --timestamp-certificate-chain. Do we still want to change it ?

hectorj2f avatar Jan 16 '23 22:01 hectorj2f

I’m working on this now. Yea, I will use certificate-chain

Hayden-IO avatar Jan 16 '23 23:01 Hayden-IO

Removing myself from this if anyone else wants to take it on

Hayden-IO avatar Mar 27 '23 21:03 Hayden-IO