cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add support for ED25519ph for sign/verify(-blob) commands

Open ret2libc opened this issue 7 months ago • 10 comments

Summary

Integrate https://github.com/sigstore/sigstore/pull/1595 into cosign, allowing sign-blob/verify-blob commmands to use ED25519ph as necessary.

This needs both https://github.com/sigstore/rekor/pull/1959 and https://github.com/sigstore/rekor/pull/1945

How I tested this:

# regular ecdsa + sha256
~/projects/sigstore/cosign/cosign sign-blob --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --yes msg.txt
~/projects/sigstore/cosign/cosign verify-blob --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --certificate-identity [email protected] --certificate-oidc-issuer-regexp '.*google.*' msg.txt

# ed25519ph
openssl genpkey -algorithm ed25519 -out private.pem
~/projects/sigstore/cosign/cosign import-key-pair --key private.pem
~/projects/sigstore/cosign/cosign sign-blob --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --key import-cosign.key --yes msg.txt
~/projects/sigstore/cosign/cosign verify-blob --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --certificate-identity [email protected] --certificate-oidc-issuer-regexp '.*google.*' --key import-cosign.pub msg.txt

# ed25519ph (with custom fulcio from https://github.com/sigstore/fulcio/pull/1517)
openssl genpkey -algorithm ed25519 -out private.pem
~/projects/sigstore/cosign/cosign import-key-pair --key private.pem
~/projects/sigstore/cosign/cosign sign-blob --fulcio-url http://127.0.0.1:5555 --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --key import-cosign.key --issue-certificate --yes msg.txt
~/projects/sigstore/cosign/cosign verify-blob --rekor-url http://127.0.0.1:3000 --bundle cosign.bundle --certificate-identity [email protected] --certificate-oidc-issuer-regexp '.*google.*' --key import-cosign.pub msg.txt

Release Note

  • Added LoadPrivateKeyWithOpts, TLogUploadWithCustomHash, ValidateAndUnpackCertWithOpts, VerifierForKeyRefWithOpts, LoadPublicKeyRawWithOpts, SignerVerifierFromKeyRefWithOpts, PublicKeyFromKeyRefWithOpts for passing sigstore.signature.SignerVerifierOptions around
  • Allow to support ed25519 keys + sha512

Documentation

ret2libc avatar Jan 15 '24 12:01 ret2libc