rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Question: How will clients interact with sharded rekor instances when verifying?

Open asraa opened this issue 2 years ago • 5 comments

Description

I'm thinking of rekor sharding, and how it will interact with how we verify rekor entries. Particularly, how do we fetch the correct Rekor Pubs for the shard in clients? This is all do-able, but I'm curious about:

  • Is each shard going to use the same signer? (If so, no change needed to the client code)
  • If not, will each shard have a dedicated signer? (if so, then we can annotate the TUF metadata with a custom json message w/ the shard ID -- then cosign client code can fetch a rekor pub by shard ID... assuming... we have that hint on the shard ID in the client)
  • Will all the rekor signers (if one per shard) by in the same GCP key ring? (If so, then we can automate populating a TUF delegation for a shard by querying the pubs in the key ring and updating in a cron workflow)

asraa avatar Mar 09 '22 17:03 asraa

As far as I know, Option 1 is the plan! (each shard uses the same signer).

priyawadhwa avatar Mar 09 '22 17:03 priyawadhwa

As far as I know, Option 1 is the plan! (each shard uses the same signer).

Ah, interesting! So currently the scope is that sharding is helping log size/resource, not the case of a signer compromise? Gotcha! Happy that's the case right now, works for incremental changes!

asraa avatar Mar 09 '22 17:03 asraa

Yah I think the main goal was to shard on some cadence (~ once/year) so the log doesn't get too big (but I've only been looking at this feature for ~1 week so I'll let others chime in :)

priyawadhwa avatar Mar 09 '22 17:03 priyawadhwa

Update: I was wrong! We'll need one signer/shard.

priyawadhwa avatar Mar 09 '22 19:03 priyawadhwa

I am trying to wrap my head around specific todos for this so that I can plug them into #711 but am not very familiar with this part - it seems like some of the work @asraa mentioned is on the cosign side? These are the todos I got:

  • annotate the TUF metadata with a custom json message w/ the shard ID
  • have cosign client code fetch a rekor pubkey by shard ID
  • automate populating TUF delegation for a shard by querying for pubkeys in the key ring

@priyawadhwa 's PR #734 allows us to query for a public key in loadVerifier() as part of rekor-cli loginfo - that seems related to this. Is there any other work that needs to be done in Rekor?

lkatalin avatar Mar 16 '22 19:03 lkatalin

Closing since verification should be handled correctly - Feel free to reopen if there were specific TODOs

haydentherapper avatar Jan 03 '23 05:01 haydentherapper