Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use an in memory timestamping key #402

Merged
merged 2 commits into from
Jul 30, 2021
Merged

Use an in memory timestamping key #402

merged 2 commits into from
Jul 30, 2021

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Jul 30, 2021

Signed-off-by: Asra Ali asraa@google.com

  • Generates an in-memory timestamping key. The rekor signer creates a timestamping certificate for this key.
  • If a timestamp_chain is loaded in, then this is used for the timestamping chain. It's leaf must be a certificate for the rekor signer.
  • Otherwise, a self-signed in-memory CA is created.

Tested with both in-memory signer (no chain) and a timestamp_chain loaded in authorizing the rekor signer as a CA to issue timestamping certificates

@asraa
use an in memory timestamping key
39379a3 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Jul 30, 2021

@dlorenc

dlorenc
dlorenc reviewed Jul 30, 2021
View reviewed changes
pkg/signer/memory.go Outdated Show resolved Hide resolved
pkg/signer/memory.go Outdated Show resolved Hide resolved
@asraa
address comments
f22e735 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Jul 30, 2021

Thanks for the check! Confirmed it work in the cases:

  • Load up a gcpkms signer and a timestamping cert chain -> uses the signer to create a TSA cert, and verifies with the chain provided (the cert chain must authorize the signer to be a CA)
  • Load up a gcpkms signer and no timestamping cert chain -> creates an in-memory root CA which creates the TSA cert
  • Load up an in-memory signer and no timestamping cert chain -> creates an in-memory root CA which creates the TSA cert
  • If you load up an in-memory signer and a timestamping cert chain -> you will fail on start up because it won't verify the chain

@dlorenc dlorenc merged commit cfb395d into sigstore:main Jul 30, 2021
@cpanato cpanato added this to the v0.4.0 milestone Aug 4, 2021
@cpanato cpanato modified the milestones: v0.4.0, v1.0.0 Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@asraa @dlorenc @cpanato