sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

Key ID generation is incorrect for non-ECDSA keys

Open woodruffw opened this issue 1 year ago • 2 comments

See https://github.com/sigstore/rekor/issues/2062 for the full context here. TL;DR: we have an internal key_id helper that essentially does SHA256(DER(SPKI(key)), which is correct for ECDSA keys but not for Ed25519 or RSA.

Following https://github.com/sigstore/sigstore-python/pull/953 this will no longer cause failures, but will be suboptimal in terms of searching all keys in the keyring. We should fix our key ID generation and handling to make it more optimal.

woodruffw avatar Apr 03 '24 15:04 woodruffw

Pending agreement, I think we should have RSA be the same key ID calculation. Doing the complex computation with 0xff doesn't feel worthwhile.

Also note the update on the thread, I think we can put checkpoint key ID in the trust root so that clients don't have to compute it.

Hayden-IO avatar Apr 03 '24 21:04 Hayden-IO

Pending agreement, I think we should have RSA be the same key ID calculation. Doing the complex computation with 0xff doesn't feel worthwhile.

SGTM!

woodruffw avatar Apr 03 '24 21:04 woodruffw