Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for inclusion/consistency proofs and checkpoint/STH verification. #283

Open
vembacher opened this issue Jul 13, 2023 · 6 comments
Open

Support for inclusion/consistency proofs and checkpoint/STH verification. #283

vembacher opened this issue Jul 13, 2023 · 6 comments
Labels
enhancement New feature or request

Comments

@vembacher
Copy link
Contributor

Summary

I would like to see support for inclusion/consistency proofs and checkpoints/STH.

Also related: #274

Reasoning

  • inclusion proofs: enable stricter bundle/log entry verification compared to only verifying the SET
  • consistency proofs: enable monitor implementations
  • checkpoints/STH: these are included along the other two, and should also be verified

Implementation

I'm willing to implement this feature, I have already implemented it in another (non-public) crate so I can just port it to this crate.
However, I want to discuss some minor details on how to do it first:

  1. Add the basic implementation to the crypto module that is not be part of the public API.
  2. Add methods to the related Rekor data structures to verify them, this would be part of the public API .
  3. For now I would not add their verification to the Cosign module directly to avoid breaking changes here.
  4. Is there a specification for the checkpoint/STH format?
@vembacher vembacher added the enhancement New feature or request label Jul 13, 2023
@haydentherapper
Copy link
Contributor

Checkpoint format comes from https://github.com/sigstore/rekor/blob/main/pkg/util/checkpoint.go. It's Go's SumbDB note format (https://pkg.go.dev/golang.org/x/mod/sumdb/note) with a timestamp in OtherContent.

vembacher added a commit to vembacher/sigstore-rs that referenced this issue Jul 19, 2023
@vembacher
Added implementations for Merkle proofs.
f990ebf 
Relates to: sigstore#283

Signed-off-by: Victor Embacher <victor@embacher.xyz>
@vembacher vembacher mentioned this issue Jul 19, 2023
Open
5 tasks
@vembacher
Copy link
Contributor Author

Checkpoint format comes from https://github.com/sigstore/rekor/blob/main/pkg/util/checkpoint.go. It's Go's SumbDB note format (https://pkg.go.dev/golang.org/x/mod/sumdb/note) with a timestamp in OtherContent.

Thanks! I was not sure if there was another specification I did not find. I used the Go code as the reference implementation.

vembacher added a commit to vembacher/sigstore-rs that referenced this issue Jul 21, 2023
@vembacher
Added merkle proof examples, fixed some bugs, reduced repetition and …
c1eadee 
…added some functionality.

Relates to: sigstore#283

Signed-off-by: Victor Embacher <victor@embacher.xyz>
@gaetanww
Copy link

I'm also interested in supporting inclusion proofs, do you need help to get this over the line?

@haydentherapper
Copy link
Contributor

cc @woodruffw @jleightcap - I think y'all have begun looking at supporting inclusion proof?

@tnytown
Copy link
Contributor

tnytown commented Feb 14, 2024

Speaking for the @trailofbits delegation: I don't think we've gotten around to integrating inclusion proofs yet. I was planning on taking a look at the implementation in #285 once the dust settles on bundles (#326 and #311).

@gaetanww
Copy link

gaetanww commented Feb 14, 2024
edited
Loading

I tried the implementation in #285 today and there's a problem with it, see my comment. Happy to add a commit if you agree with the fix.

vembacher added a commit to vembacher/sigstore-rs that referenced this issue Mar 20, 2024
@vembacher
Added implementations for Merkle proofs.
0d3fc02 
Relates to: sigstore#283

Signed-off-by: Victor Embacher <victor@embacher.xyz>
vembacher added a commit to vembacher/sigstore-rs that referenced this issue Mar 20, 2024
@vembacher
Added merkle proof examples, fixed some bugs, reduced repetition and …
7dd4224 
…added some functionality.

Relates to: sigstore#283

Signed-off-by: Victor Embacher <victor@embacher.xyz>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tnytown @haydentherapper @vembacher @gaetanww