-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Include raw Rekor Bundle in TransparencyLogEntry #9
Comments
Just saw that Bob did acknowledge that the user-supplied hash in intoto v0.0.2 is a bug and should be fixed in v0.0.3: sigstore/rekor#1162 (comment) |
Another thing that @bdehamer found that will make it hard to reconstruct the Rekor entry: sigstore/rekor#1170 |
Maybe this is a 2 step: 1.Capture the canoncalized rekor entry in the bundle. Tell clients to validate the signatures are equal to prove "matching bundle". |
Description
The bundle spec includes transparency log entries. In earlier discussions and the unmerged verification documentation, I think we agreed that IF a log entry is provided in the bundle, we MUST perform a successful SET verification (inclusion promise).
The SET verification requires 6 pieces of data:
All of the above fields are included in the bundle except for the canonicalized Rekor entry. It was decided in the original proposal to reconstruct it from other data in the bundle, and by adding
KindVersion
to hint to the verifier which entry version to reconstruct. I believe this decision was made due to the fact that the intoto type would duplicate the DSSE in the bundle, producing a larger file size due to the redundant data.Unfortunately, we still lack enough information to deterministically reproduce all Rekor entries. This was called out in the original proposal, but it was believed that we could reconstruct
hashedRekord
andintoto
entries, which I understand to be the only supported entry types for the bundle. In fact, the intoto type still has an ambiguous field, thehash
value which is calculated over the DSSE envelope. Rekor does not enforce any canonicalization of the DSSE used to produce the hash in the intoto v0.0.2 type, therefore, current intoto v0.0.2 entries cannot be verified without the raw bytes of the DSSE, which are not included in the bundle.Additionally, it is a large burden to place on non-Go clients to reproduce the behavior of all the supported Rekor entry types, and I believe this will lead to verifiers that don't follow spec.
In my opinion, we should just capture the raw Rekor entry in the
TransparencyLogEntry
.Alternatives:
The text was updated successfully, but these errors were encountered: