rekor
rekor copied to clipboard
sigstore
Expose Go function for validating log entry
Currently the logic for validating the signature of a log entry needs to be reconstructed at least in part by other projects that wish to rely on it, e.g.:
- https://github.com/google/ent/blob/b0804661406ee428d2127d7f2d653d6c1b45f766/cmd/ent/cmd/status.go#L110-L207
- https://github.com/slsa-framework/slsa-verifier/blob/aee753f58fa9a4de2be6290e3eefae2d6e998a9d/pkg/provenance.go#L164-L285
This logic is mostly already available in rekor, but not particularly well packaged or exposed yet.
cc @asraa @laurentsimon @eddiezane @dlorenc
Thanks @tiziano88! This has been a common source of problems when other users need to verify entries. Which is also complex, so agreed there needs to be a central library to pull these functions from.
The second link on verifying an entry is exported in cosign here https://github.com/sigstore/cosign/blob/80fe5a31a398c45395d09d23e237c676ddad709f/pkg/cosign/tlog.go#L329
I could imagine putting this to a rekor library, but we will need to expose the rekor public keys as a parameter. In Cosign, we have a default TUF root stored where public keys are gathered from a default repository.
The first function, on extracting certificates, is also re-implemented in private logic in cosign. This can be added in rekor.
Related: https://github.com/sigstore/rekor/issues/891
This is useful because currently some clients don't run a full verification. In the cosign link above, the function verifies the inclusion proof and the SET. However, validating an inclusion proof is roughly worthless against validating the root hash that it chains up to (which means validating consistency with a STH).
This is a fairly easy win, and would close our #891 as well.