add new trusted_root.json target #584
Conversation
Signed-off-by: Brian DeHamer <bdehamer@github.com>
targets/trusted_root.json
Outdated
| }, | ||
| "validFor": { | ||
| "start": "2021-03-07T03:20:29.000Z", | ||
| "end": "2031-02-23T03:20:29.000Z" |
There was a problem hiding this comment.
This end date should probably be whatever date we stopped signing w/ this certificate but I wasn't sure when that was.
There was a problem hiding this comment.
June 30 2022 would be reasonable IIRC, but if you want to be even more safe, just do end of 2022.
@asraa if you remember a more precise date
|
Nice, thanks for doing this! |
targets/trusted_root.json
Outdated
| "hashAlgorithm": "SHA2_256", | ||
| "publicKey": { | ||
| "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==", | ||
| "keyDetails": "PKIX_ECDSA_P256_SHA_256" |
There was a problem hiding this comment.
We should include the validFor attribute too for both this and the 2022 instance, so a client could pick up the correct instance based on the validity time. For 2022 we should not have an end date.
There was a problem hiding this comment.
Thank you!!! I actually think we should start a new milestone for a v6 root signing. I will create one, and add in the relevant checklist items (convening on a date on the calendar, testing, etc)
Naming comment: I would prefer this would be named something that indicates the protobuf type and version of this object OR to have the type and version encoded in the object itself.
If naming suffices, maybe something like dev.sigstore.trustroot.v1.TrustedRoot.json. Someone else can do better that me...
cc @jku
targets/trusted_root.json
Outdated
| "hashAlgorithm": "SHA2_256", | ||
| "publicKey": { | ||
| "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==", | ||
| "keyDetails": "PKIX_ECDSA_P256_SHA_256" |
There was a problem hiding this comment.
Same here, we should include validFor, without the end timestamp.
|
Here's the list of values we need to fill-in still (values I wasn't able to deduce from the existing TUF data):
|
targets/trusted_root.json
Outdated
| }, | ||
| "validFor": { | ||
| "start": "2021-03-07T03:20:29.000Z", | ||
| "end": "2031-02-23T03:20:29.000Z" |
There was a problem hiding this comment.
June 30 2022 would be reasonable IIRC, but if you want to be even more safe, just do end of 2022.
@asraa if you remember a more precise date
Co-authored-by: Hayden B <hblauzvern@gmail.com> Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
|
Thanks for the updates! The remaining work from your comment is still outstanding -- by EOW I'll try to help as well. But this is still on my roadmap to merge soon for https://github.com/sigstore/root-signing/milestone/3 |
targets/trusted_root.json
Outdated
| "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==", | ||
| "keyDetails": "PKIX_ECDSA_P256_SHA_256", | ||
| "validFor": { | ||
| "start": "2022-01-01T00:00:00.000Z" |
There was a problem hiding this comment.
Need a more accurate start date here
There was a problem hiding this comment.
I believe around Sigstore GA, Oct 20th's a good bound.
There was a problem hiding this comment.
Updated to match Sigstore's GA date.
There was a problem hiding this comment.
Ah, I think it is still 2022-01-01 - maybe a missing commit?
| "start": "2021-03-07T03:20:29.000Z", | ||
| "end": "2022-01-01T00:00:00.000Z" |
There was a problem hiding this comment.
Need accurate start/end dates here
There was a problem hiding this comment.
So this key was used until Sigstore went GA around october 20th 2022
however, that was using the https://ctfe.sigstore.dev as the base URL. It's almost like there should be an entry for that URL until oct 20th, and then onwards for /test
@haydentherapper not really sure....
There was a problem hiding this comment.
ping @haydentherapper is this actually being used anymore? or what do you think about the proposal to have the entry for https://ctfe.sigstore.dev as the old signing key from it's start date to GA, and then this current entry for /test from GA to current.
Signed-off-by: Brian DeHamer <bdehamer@github.com>
|
@woodruffw FYI Not sure how python are dealing with the Sigstore trust root, but from v6 and forward (scheduled for February 28th) the entire trust root will be shipped as a single target to avoid all the stitching in the client. |
|
Thanks for the ping! Yeah, we'll probably need to update our TUF use to handle this. Is there going to be a compatibility period where both formats are distributed in the TUF repo? |
|
Yeah, as there are some old clients out in the wild, I think the targets will be published using both formats for a fairly long time, but can't provide any more accurate info than that. So far, it's only sigstore-js that I know have the new updated format on the roadmap. |
Yes, I won't be removing the existing current targets, just supporting this new format to allow clients to move when necessary. |
| }, | ||
| "validFor": { | ||
| "start": "2022-04-13T20:06:15.000Z", | ||
| "end": "2031-10-05T13:56:58.000Z" |
There was a problem hiding this comment.
should we omit the end here? it's the cert end date as I see, but not the end of service date. but either way it's an upper bound on it so can always be updated.
There was a problem hiding this comment.
I'm still leaning towards omission of the end, but doesn't matter to me since we can always update it when it's EOL is known.
There was a problem hiding this comment.
On the consuming side, I personally find end here confusing: it's not the "end" in terms of service date (as you said), but only the point after which newly issued certs shouldn't be chained up to this particular root or intermediate.
Given that that information should already be embedded into the certs themselves, I'm in favor of omitting it.
(My understanding is that start needs to be kept around for filtering purposes, i.e. we don't want to include a cert in the X.509 verification context before it's actually become active. But that too should be handled during the client verification process, so I'm not 100% sure what purpose it has in the bundle here.)
There was a problem hiding this comment.
+1, I'd like to leave this comment open for addressing on Brian's side
There was a problem hiding this comment.
@bdehamer to add to the TODO for fixup
There was a problem hiding this comment.
Wait, the end date is not meant to indicate the certificate's validity period. That is redundant as @woodruffw said. It's supposed to indicate when that certificate/chain was decommissioned. We typically can't just rely on a list of certs with a start value (and so assume that the next start indicates the "current" end), there is going to be some short overlap during time a new certificate is deployed.
There was a problem hiding this comment.
Agree - I added this to the follow-up issue Brian posted to resolve
| "start": "2021-03-07T03:20:29.000Z", | ||
| "end": "2022-01-01T00:00:00.000Z" |
There was a problem hiding this comment.
So this key was used until Sigstore went GA around october 20th 2022
however, that was using the https://ctfe.sigstore.dev as the base URL. It's almost like there should be an entry for that URL until oct 20th, and then onwards for /test
@haydentherapper not really sure....
targets/trusted_root.json
Outdated
| "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==", | ||
| "keyDetails": "PKIX_ECDSA_P256_SHA_256", | ||
| "validFor": { | ||
| "start": "2022-01-01T00:00:00.000Z" |
There was a problem hiding this comment.
I believe around Sigstore GA, Oct 20th's a good bound.
The new start date matches the date of the first record added to the log Signed-off-by: Brian DeHamer <bdehamer@github.com>
The start date for the https://ctfe.sigstore.dev/2022 key has been updated to match Sigstore's October 20th, 2022 GA date. Signed-off-by: Brian DeHamer <bdehamer@github.com>
|
Interesting! So do I understand correctly when I say that the TrustedRoot will be distributed as a TUF target, not metadata? |
|
@trishankatdatadog Exactly! Today the components that makes up the TrustedRoot are shipped as individual targets, with metadata attached to them that describes them. With this PR, we can assemble the trusted root once, with all the semantics implicit via a well-defined structure, so we save the clients a lot of work as they don't need to parse the metadata and collect all the targets to assemble the trusted root. |
|
@bdehamer do you want to merge and file a follow-up issue with a v6 milestone on the remaining TODOs? |
|
I'm very excited for these changes! Anything that reduces the number of TUF repo round-trips that Sigstore clients have to make is a win, in my book 🙂 One question from the consuming side: is the |
I think you are correct. It's the total history of the TRUSTED material. If any previous keys get compromised, they will disappear, but it's all the latest view on the history of all trusted material (there, I used both quoted words in it!) |
|
@asraa yeah, I think we can merge this and I'll add the remaining TODOs in an issue. |
|
@kommendorkapten @bdehamer How did you generate this? Did you craft this by hand? |
|
@haydentherapper I wrote this wacky tool a while back, it's very hacky https://github.com/kommendorkapten/trtool/blob/main/cmd/trtool/app/initroot.go I have some more features that's not pushed yet, like add more content to an existing trust root. I'll try to fix that very soon and push the changes. |
|
Thanks! @lkatalin this might be a good starting point |
|
Thanks, that's very helpful! |
Signed-off-by: Brian DeHamer bdehamer@github.com
Summary
I'm not sure we're ready to implement this yet, but I thought I'd take a crack and gathering all of the keys/certs we're currently distributing via TUF and massaging them into the TrustedRoot format (JSON-serialized) defined in sigstore/protobuf-specs.
From a client perspective, it sure seems like this would make things much easier -- having a single structured target to download vs. juggling multiple targets (and also parsing metadata from the
targets.jsonfile).