rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add simple rekor-cli command to verify artifact

Open pbrkr opened this issue 1 year ago • 1 comments

Using the SHA256SUMS release artifact from https://github.com/SanCloudLtd/meta-sancloud/releases/tag/v6.1.0 as an example, I have uploaded the signature to the rekor transparency log. I feel that I should now be able to verify the file integrity using just rekor. There is currently a convoluted way to do this:

  1. Search rekor for the file hash: rekor-cli search --sha "sha256:$(sha256sum SHA256SUMS | cut -d' ' -f1)" > uuid.txt

  2. Retrieve the rekor log entry using the UUID given by the above command, isolate the signature content using jq, decode it and store it in a file: rekor-cli get --format json --uuid $(< uuid.txt) | jq .Body.RekordObj.signature.content | tr -d '"' | base64 -d > SHA256SUMS.asc

  3. Retrieve the appropriate PGP key from keys.openpgp.org (where email address verification has taken place): gpg --search-keys [email protected]

  4. Verify the signature using gpg: gpg --verify SHA256SUMS.asc

It would be great to have a simpler, more integrated way to achieve this. Perhaps a rekor-cli verify-blob ... command.

Note that in step 3 I get the PGP key from a different source. This is because if we rely on the public key embedded in the rekor log then there is no guarantee that it actually belongs to the organization or individual who made the release. Obviously this is where trusting the public key you've got becomes an interesting problem in itself but I think that's a different topic for another day.

pbrkr avatar Aug 10 '22 08:08 pbrkr

Hey @pbrkr! The way that you have described it is what cosign verify-blob performs. (caveat: I think cosign may not support pgp signature searching)

In my opinion, the functionality for rekor-cli verify (which exists) is that it takes in a Rekor entry information and verifies that the entry is in the log. Although Rekor verifies the signature before storing an entry in a log, it is not a signature validation tool (like cosign, openssl, or gpg are), but rather a transparency log that can attest to whether something was included in the log. So imo, verifying the signature should be performed by a signature verification tool.

Note: you can also retrieve the PGP key from the rekor entry as well.in (3)

You also do not need to perform the search via the redis index (search by sha, which can result in multiple entries because multiple people can sign on that file). To retrieve the log entry and verify that it is in the log:

$ gpg --export [email protected] > pubkey.key
$ ./rekor verify --artifact ~/Downloads/SHA256SUMS --signature ~/Downloads/SHA256SUMS.asc --public-key pubkey.key  --format json

asraa avatar Aug 10 '22 14:08 asraa

Closing since this functionality exists in Cosign

haydentherapper avatar Jan 03 '23 05:01 haydentherapper