cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Fix signing and verification with ed25519 keys with bundles and Rekor

Open Hayden-IO opened this issue 4 months ago • 4 comments

With the recent changes we made to use sigstore-go rather than Cosign for signing and verification, ed25519 managed key support broke, because we were incorrectly specifying ed25519ph for dsse Rekor entries and not specifying ed25519ph for hashedrekord entries. This PR correctly sets load options for when signing and verifying a blob (using the prehash variant) and when signing/verifying attestations (using the pure variant). This also fixes a bug where the SignerVerifier Keypair didn't handle crypto.Hash(0) for ed25519, which specifies no hash when signing.

This has been tested with sign/verify, sign-blob/verify-blob, attest/verify-attestation, and attest-blob/verify-blob-attestation.

Summary

Release Note

Documentation

Hayden-IO avatar Sep 16 '25 23:09 Hayden-IO

Codecov Report

:x: Patch coverage is 50.00000% with 32 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 34.24%. Comparing base (2ef6022) to head (bc9c6d2). :warning: Report is 524 commits behind head on main.

Files with missing lines Patch % Lines
pkg/signature/keys.go 50.00% 7 Missing :warning:
pkg/cosign/bundle/sign.go 0.00% 5 Missing :warning:
cmd/cosign/cli/attest/attest.go 0.00% 4 Missing :warning:
cmd/cosign/cli/attest/attest_blob.go 0.00% 4 Missing :warning:
cmd/cosign/cli/sign/sign.go 0.00% 4 Missing :warning:
cmd/cosign/cli/verify/verify.go 0.00% 3 Missing :warning:
cmd/cosign/cli/verify/verify_attestation.go 0.00% 3 Missing :warning:
cmd/cosign/cli/sign/sign_blob.go 0.00% 1 Missing :warning:
cmd/cosign/cli/verify/verify_blob_attestation.go 83.33% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4414      +/-   ##
==========================================
- Coverage   40.10%   34.24%   -5.87%     
==========================================
  Files         155      218      +63     
  Lines       10044    15638    +5594     
==========================================
+ Hits         4028     5355    +1327     
- Misses       5530     9591    +4061     
- Partials      486      692     +206

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Sep 16 '25 23:09 codecov[bot] 

head -c 128 < /dev/urandom > artifact
cosign sign-blob --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --bundle artifact.sigstore.json --yes --key cosign.key artifact
cosign verify-blob --new-bundle-format --trusted-root trusted_root.json --bundle artifact.sigstore.json --key cosign.pub artifact

cosign attest-blob --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --statement intoto.txt --bundle intoto.sigstore.json --yes --key cosign.key
cosign verify-blob-attestation --bundle="intoto.sigstore.json" --key=cosign.pub --trusted-root trusted_root.json --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde8" --digestAlg="sha256"

cosign sign --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --yes --key cosign.key localhost:5050/busybox:latest
cosign verify --new-bundle-format --key cosign.pub  --trusted-root trusted_root.json localhost:5050/busybox:latest

cosign attest --predicate predicate.json --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --yes --key cosign.key localhost:5050/busybox:latest
cosign verify-attestation --new-bundle-format --key cosign.pub  --trusted-root trusted_root.json localhost:5050/busybox:latest

Hayden-IO avatar Sep 17 '25 00:09 Hayden-IO

I'm so confused 😅 so help me check my understanding.

Fulcio does not support ed25519ph, but Rekor does. And if someone is using a key they manage (instead of Fulcio), we want to support ed25519ph and use that with Rekor as well.

In #4386 we removed some ed25519ph support, but did so in a way that broke "pure" ed25519 for self-managed keys. So we still aren't supporting ed25519ph with Fulcio, but we are fixing ed25519 for self-managed keys, and you can also use a self-managed ed25519ph key with Rekor. Did I get that right?

steiza avatar Sep 17 '25 17:09 steiza

Thanks y'all for the comments. I was a little preemptive putting this up, I need to fix e2e tests (they're failing because when the tlog isn't used, we use ed25519 - the prehash variant is only for hashedrekord).

@steiza, correct. This is to support self-managed ed25519 keys. A summary of what's supported and what's not:

Supported:

  • ed25519 key, signing an artifact
  • ed25519 key for an artifact + Rekor (ed25519ph + hashedrekord) <-- This is the only time the prehash variant is used
  • ed25519 key signing an attestation
  • ed25519 key for an attestation + Rekor (ed25519 + dsse)
  • For completeness, ECDSA/RSA + Fulcio (or without Fulcio) + Rekor (or without Rekor) for artifacts and DSSEs

Maybe supported:

  • ed25519 key signing an attestation + Fulcio + Rekor (ed25519 + dsse) - This should be possible but we might need to update how the SignerVerifier is loaded. I'll test this out.

Not supported:

  • ed25519 key + Fulcio + Rekor (ed25519ph + fulcio + hashedrekord, since Fulcio doesn't know how to verify ed25519ph signatures)

Hayden-IO avatar Sep 18 '25 18:09 Hayden-IO