sigstore icon indicating copy to clipboard operation
sigstore copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add KeyID (public key fingerprint) to signature in in-toto attestation

Open asraa opened this issue 3 years ago • 7 comments
trafficstars

Description

The DSSE wrapped signer does not populate the KeyID field of the DSSE payload https://github.com/sigstore/sigstore/blob/587d504f4dc16b2bc55eb7100658149de417eb30/pkg/signature/dsse/dsse.go#L65

As a result, running cosign attest or using the dsse.WrappedSigner leaves the keyid empty. This was produces by a cosign attest:

{
  "payloadType": "application/vnd.in-toto+json",
  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnY3IuaW8vYXNyYS1hbGkvYnVzeWJveC9kZW1vIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjM3ZTUyODc5NDU3NzRmMjdiNDE4Y2U1NjdjZDc3ZjRiYmM5ZWY0NGExYmNkMWEyMzEyMzY5ZjMxZjljY2U1NjcifX1dLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViSG9zdGVkQWN0aW9uc0B2MSJ9LCJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vQXR0ZXN0YXRpb25zL0dpdEh1YkFjdGlvbnNXb3JrZmxvd0B2MSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCthc3JhYS9zbHNhLW9uLWdpdGh1Yi10ZXN0LmdpdCIsImRpZ2VzdCI6eyJTSEExIjoiNDUwNjI5MGUyZThmZWIxZjM0YjI3YTA0NGY3Y2M4NjNjODMwZWY2YiJ9LCJlbnRyeVBvaW50IjoiVGVzdCBTTFNBIn0sImVudmlyb25tZW50Ijp7ImFyY2giOiJhbWQ2NCIsImVudiI6eyJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX1JVTl9JRCI6IjE4ODgyMTYxNTkiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjY5In19fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQrYXNyYWEvc2xzYS1vbi1naXRodWItdGVzdC5naXQiLCJkaWdlc3QiOnsiU0hBMSI6IjQ1MDYyOTBlMmU4ZmViMWYzNGIyN2EwNDRmN2NjODYzYzgzMGVmNmIifX1dfX0=",
  "signatures": [
    {
      "keyid": "",
      "sig": "MEUCIGoyFXzEOqVRbK1/0Ep4sfwiWZ77nRj9WirRsCKrIAYgAiEAoTMViCICvK5z5cBEcWuWOj85f8OKkoyCCeSVihU1lSo="
    }
  ]
}

This would be nice to have to identify which key was used to produce the signature rather than brute force verifying against them all (lets say, from fetching rekor entries by the Subject.Digest of the intoto attestation). But I'm aware that keyid is optional.

Right now I have a signed in-toto attestation and want to search on the log for the correct rekor entry. Right now I can only search rekor in-toto attestations reliably with Subject.Digest (since the entire DSSE envelope is not stored, and the hash of the signed payload isn't canonical). I may get multiple rekor entries of intoto attestations. I want to select the correct one programattically. If I can match certs with keyids I can narrow down without comparing attestation payloads or iterating through verification with the signing certs in the rekor entries.

asraa avatar Feb 24 '22 16:02 asraa

I don't know if tekton chains wants to/can use sigstore/sigstore's wrapped signer, but right now it doesn't and it doesn't have parity on this issue. @priyawadhwa

asraa avatar Feb 24 '22 16:02 asraa

I think once KeyID is added in we could switch over to sigstore's signer! Support for it with a different signer was added by a contributor a while ago (code is here for reference)

priyawadhwa avatar Feb 24 '22 17:02 priyawadhwa

SGTM!

dlorenc avatar Feb 25 '22 22:02 dlorenc

@asraa still an issue?

haydentherapper avatar Nov 08 '22 06:11 haydentherapper

Yeah, it's not high priority, but it's a good cleanup.

asraa avatar Nov 08 '22 15:11 asraa

Bump up this issue. Although specified as optional, the key id is a really important field for centralized verification points, which may "know" hundreds of provenance signers and signing keys. Without hints from key id, exhaustively try every known key for every verification request would be quite expensive...

AdamZWu avatar Mar 31 '23 14:03 AdamZWu

Hey! I don't have the bandwidth to do it, but it should be fairly easy to implement. The hard part being documenting the key id computation

asraa avatar Mar 31 '23 14:03 asraa