rekor icon indicating copy to clipboard operation
rekor copied to clipboard
verified publisher icon sigstore

Checkpoint spec compliance: Mismatched origin string with signature

Open Hayden-IO opened this issue 1 year ago • 2 comments

Context

Even though Rekor looks like a single log, it's backed by multiple trees, so that we can periodically shard the log to prevent indefinite growth. When verifying inclusion proofs, you use a tree-specific index for example. When verifying checkpoints, you use the tree size, not the total log size.

Problem

Here's the current checkpoint:

rekor.sigstore.dev - 2605736670972794746
79317123
Kmb+leehFHcnu5BxZCMqengfUR/yhOQuNcDE7kzmb94=

— rekor.sigstore.dev wNI9ajBFAiEAlMvpqFXBNC2hHHclvkSF3F/IwJWifmpJbqFSlHeur/kCIAiLLyjtqi/UhXl/PgIgnsFTP34doSOUYE00BXeS+GH1

Note the first line, rekor.sigstore.dev - 2605736670972794746, is the unique identifier for the tree. It appends the tree ID 2605736670972794746 to make the checkpoint unique.

Each signature line should start with the identifier for either the log or the witness that signs it. In this case, it's rekor.sigstore.dev, which is only the hostname, not the log origin. The first signature's identifier should match the origin string.

I'm surprised this was never noticed actually, because the log is being monitored by the omniwitness project. I guess the signature origin was never compared to the checkpoint origin.

Proposal

Change the identifier on the signature line to match the origin string.

Clients

I think we're good to make this change without any impact to clients. Looking over each client:

  • @woodruffw - https://github.com/sigstore/sigstore-python/blob/main/sigstore/_internal/rekor/checkpoint.py#L47 parses the checkpoint signature into a name and signature, and name is unused
  • @bdehamer - https://github.com/sigstore/sigstore-js/blob/main/packages/verify/src/timestamp/checkpoint.ts#L136 parses the signature line into a name and signature, and name is also unused
  • @loosebazooka - https://github.com/sigstore/sigstore-java/blob/1a175b499592f5d85d5c9ed89ae8e875c9895bb8/sigstore-java/src/main/java/dev/sigstore/rekor/client/Checkpoints.java#L90 ignores the origin in the checkpoint
  • Go - We parse name in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go#L173 but also do nothing with it

While out of scope for this issue, I wanted to mention that the next time we shard, we will plan to change the origin string to be more URL like as noted in https://github.com/sigstore/rekor/issues/1450. Clients should not make any assumptions on the format of the string. I don't see any assumptions currently, so we're good to go.

Hayden-IO avatar Apr 04 '24 19:04 Hayden-IO

Investigating further, it appears a lot of known logs don't follow this. This might be considered a breaking change from the perspective of the witness. Looking into it...

Hayden-IO avatar Apr 04 '24 23:04 Hayden-IO

Given this will be a breaking change to witnesses and there is nothing mandating a matched origin and signature identifier, we won't move forward with making any changes for the existing shard. We'll make this change during the next sharding.

Hayden-IO avatar Apr 11 '24 22:04 Hayden-IO