-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better docs on how to verify signedEntryTimestamp #1943
Comments
@ernoc there's also info here: |
One question that comes to mind from reading the comments at Lines 433 to 476 in 4fcdcaa
The JSON document could be referring to:
I'm assuming the second is the right one? |
I have this same problem. I'm currently trying to manually do this by following the logic in cosign and/or in rekor. I got a dump of the {"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiNmQ2Y2E0MTAxOTNiYTQ0MDJiYjkwZjExYjgyM2UzNWM4NTc0MTQzMjhkN2M3YWM3YTgzMzQwZGMxYTZjODUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlRVMGdnVTBsSFRrRlVWVkpGTFMwdExTMEtWVEZPU1ZVd2JFaEJRVUZCUVZGQlFVRkVUVUZCUVVGTVl6Tk9iMHhYVm10TmFsVXhUVlJyUVVGQlFXZE5kREo2U0M5cUwwNUxaRUpxU2tSRVR6aG5id3AyTUVscVptNVFURkZITlhJeEsySXlNMGcwYm5vMlFVRkJRVUZGV20xc2MxcFJRVUZCUVVGQlFVRkJSMk15YUdoT1ZFVjVRVUZCUVZWM1FVRkJRWFI2Q21NeVozUmFWMUY1VGxSVmVFOVJRVUZCUlVGRlEzUk9ZamRWWmtSS1ZHaHNTblJZTVZSYVZrazJjWHBGU201Q1NUQTJTVFpWWTJsR1VVUjFNM3AyWjNVS1FXMTVLMFZzU1hKYVNXWlRTa3RTZG1KdU9HeFJOVGx2ZUhsdmVUUm5UVWxRSzFnemFHSnJSZ290TFMwdExVVk9SQ0JUVTBnZ1UwbEhUa0ZVVlZKRkxTMHRMUzBLIiwiZm9ybWF0Ijoic3NoIiwicHVibGljS2V5Ijp7ImNvbnRlbnQiOiJjM05vTFdWa01qVTFNVGtnUVVGQlFVTXpUbnBoUXpGc1drUkpNVTVVUlRWQlFVRkJTVVJNWkhONEx6UXZlbE51VVZsNVVYZDZka2xMVERsRFNUTTFlbmt3UW5WaE9XWnRPWFI0SzBvNEsyY0sifX19fQ==","integratedTime":1708462670,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d","logIndex":72768902} So far though I can't quite get it to work
I've also tried with a |
See https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1311-L1329 - We marshal the body, integrated time, log ID and log index, and then use a json canonicalization library before verifying it. That last step might be what's missing? |
This works, but it was pretty involved:
I know the new Sigstore protobuf bundle will include some of this info; but is it correct that for now there is no simpler way to get the entire Rekor bundle other than parsing and stitching together fields from the
|
A feature to output the canonicalized bundle seems reasonable. |
The documentation referenced above does not accurately describe how the verification is actually performed. Moreover, the verification procedure above fails with some rekor entries, as it seems that old rekor entries (e.g., index Is that a correct assessment? Should the documentation and/or verification procedure be updated? |
The SET verification (not inclusionProof verification) is doing canonicalization here. This is evident in the manual testing I did recently, where the payload for the SET always has the fields in alphabetical order: body, integratedTime, logID, logIndex. The documentation should definitely be updated - I plan to work on that after adding the canonicalized Rekor bundle to rekor-cli output (draft PR here and I'm planning to make a Rekor PR based on the protobuf). I'm not sure about the verification failure for older entries, maybe someone else knows about this. |
Left a comment on the issue on protobuf-specs. I'm not sure about the verification failure. That could be due to a change in requirements for the type? Early on there were a few changes that should have warranted a new type that we didn't do. We can relax those constraints if need be. |
In order to verify
signedEntryTimestamp
, one needs to follow instructions that I could only find here in this yaml.That's also the only specification I could find as to what's included in the signature (although I could be mistaken of course).
However, that's not easily discoverable in the docs, in particular, it doesn't show up on swagger docs.
Would be nice if these spec and instructions easily searchable in docs:
The text was updated successfully, but these errors were encountered: