sigstore-rs
sigstore-rs copied to clipboard
Online verification with Rekor
Description
Hi! First big thanks to @flavio for leading so much here :)
Is the intent of this crate to allow online verification with Rekor as well? Without a rust rekor client, it would have to be an HTTP client and a lot of overhead in request/response forming and parsing. We were curious about this from the sget side -- right now we can re-use the code here for offline verification using the bundle.
@jyotsna-penumaka @lkatalin
Sorry, the last days have been a bit crazy... It's already possible to verify the Rekor data attached to a signature. I guess this is what you're looking for. Do I get it right?
Sorry, the last days have been a bit crazy... It's already possible to verify the Rekor data attached to a signature. I guess this is what you're looking for. Do I get it right?
@flavio Would you be able to point us to the code that does this?
I think there might be a mix up here (although I might be about to confuse it even further :P )
@flavio is referring to using the rekor public key for bundle verification --rekor-pub-key
I think @asraa is referring to making / retrieving / performing inclusion proofs etc against an online rekor instance. @asraa are you thinking of direct GRPC calls to trillian (in relation to your comment on the overhead of a http client)?
@flavio is referring to using the rekor public key for bundle verification --rekor-pub-key
@lukehinds is right. This is what I was referring.
Given a cosign signature object retrieved from an OCI registry. The library will create a SignatureLayer
object. The SignatureLayer might have a Rekor Bundle associated to it.
The bundle is associated inside of the constructor of SignatureLayer:
https://github.com/sigstore/sigstore-rs/blob/cc9fe808918f2b5775143e8ade351d315044db30/src/cosign/signature_layers.rs#L116
The get_bundle_from_annotations
invokes the Bundle::new_verified
constructor:
https://github.com/sigstore/sigstore-rs/blob/cc9fe808918f2b5775143e8ade351d315044db30/src/cosign/bundle.rs#L35-L56
This method attempts to verify the Bundle object using the rekor public key that is given by the user. If the verification fails an error is raised. The error will bubble up, reach the SignatureLayer::new
and bubble up again. That results in the SignatureLayer
to not be considered trusted. Hence all the signatures inside of this layer are going to be ignored.
I am happy to work on this.
One thing I wanted to clarify, I think this will need to be a HTTP Client? I am not sure there is another method? did you have something in mind @asraa ?
Hi folks, have you considered approaching sigstore-rs as a sans-io lib? Leaving the HTTP client out of the lib, allowing to use the lib with any client, making it easy for async, etc.
@viccuad that does sound like a better approach. Is there an examples in idiomatic rust on how to go about this?
I was able to find this short list on crates.io. In theory it should be easy, just operate on u8, but I haven't written a sans-io lib myself yet.
I've been really tempted to experiment with sans-io. I would track that with a dedicated issue and attempt to not conflate the two things together (this issue and the one about giving sans-io a shot)
@flavio so would you be supportive of using something like reqwests for now?
yes, this is what is used by oci-distribution. Just ensure you're using that in async mode. Using that in blocking mode would be an issue