slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard
verified publisher icon slsa-framework

Feature: log rekor UUID to log

Open laurentsimon opened this issue 3 years ago • 3 comments

To help with troubleshooting rekor, let's log the rekor UUID after upload.

I'm wondering if it would help to embed the UUID as part of this proposal https://github.com/sigstore/cosign/issues/1743

/cc @asraa

laurentsimon avatar Jun 16 '22 02:06 laurentsimon

Definitely let's upload.

I'm wondering if it would help to embed the UUID as part of this proposal https://github.com/sigstore/cosign/issues/1743

I think the most striaghtforward would be to embed the cert in the envelope, so we have all the info needed to verify the rekor entry, right?

asraa avatar Jun 16 '22 14:06 asraa

I don't know the inner details of rekor: is the UUID backed by Trillian or Redis? I was assuming UUID was backed by Trillian: so having the UUID in the envelope would allow the rekor lookup even if Redis has problems, in order to verify that the entry is in the log.

laurentsimon avatar Jun 16 '22 15:06 laurentsimon

It would, that's right. I only say it's better to add cert because that's more understandable than a UUID annotation.

On the other hand, I wonder what prevents having custom annotations in the DSSE envelope?

asraa avatar Jun 16 '22 15:06 asraa

This is done as well

asraa avatar Dec 08 '22 17:12 asraa