Support multiple ctfe keys #190
Conversation
|
my plan was to expose a simple lookup method per client that returns the public key for a specific URL. e.g. getPublicKey(URL). |
|
yeah sgtm, we can refactor for that when ready. |
| Resources.getResource("dev/sigstore/tuf/staging/fulcio.crt.pem")); | ||
| } | ||
|
|
||
| public static List<byte[]> ctfePublicKeys() throws IOException { |
There was a problem hiding this comment.
I know this is temporary code but why not just parse the pub keys right here?
There was a problem hiding this comment.
oh parse them into keys? I dunno, I guess we could stop sending byte[]s around.
There was a problem hiding this comment.
it might be weird for each implementation to have to parse it?
There was a problem hiding this comment.
lemme handle this is a followup. We'll return certs, and keys instead of just bytes everywhere.
sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioVerifier.java
Outdated
Show resolved
Hide resolved
| @@ -13,9 +13,9 @@ We keep copies of the remote tuf repositories locally in | |||
| for interfacing with *.sigstage.dev | |||
|
|
|||
| For this client to function we need the following keys | |||
| 1. CTFE public key (`ctfe.pub` \ | |||
| 1. CTFE public keys (`ctfe.pub`, `ctfe_2022.pub`) \ | |||
There was a problem hiding this comment.
why do we need the old key?
There was a problem hiding this comment.
you need the old key to verify that older SCTs embedded into older certs can still be verified (since they are not re-issued).
There was a problem hiding this comment.
also I need to update htis readme
There was a problem hiding this comment.
hmm, I guess we need the full history to verify old rekor entries with SCTs that were created with older keys.. I need to talk to Asra I think because I thought she said it was fine to just bundle the latest in the client.
There was a problem hiding this comment.
we need a full key history for all of sigstore (unless there is an expiry date for software?)
There was a problem hiding this comment.
Yeaah there's still a bit more to do here. We need to allow the client to accept multiple fulcioRoots and rekorPubKeys.
Signed-off-by: Appu Goundan <[email protected]>
loosebazooka
force-pushed
the
support-multiple-ctfe-keys
branch
from
cd160c5 to
b5798fc
Compare
|
@patflynn can we get this in and then followup, it'll fix the broken build. |
|
@loosebazooka We also need to add the new CTFE prod key, correct? |
|
Correct. Will add in soon. |
Signed-off-by: Appu Goundan [email protected]
This is kind of a temporary solution till we get tuf ready. I still think we should make some sort of "verification material provider" interface that our TUF client implements and maybe there are other implementations?. But... this fixes #188 for now.