Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign: switch to P-256 #662

Merged
merged 6 commits into from
Jun 7, 2023
Merged

sign: switch to P-256 #662

merged 6 commits into from
Jun 7, 2023

Conversation

woodruffw
Copy link
Member

This is faster than P-384, is well-supported, and is well within security margins.

Longer term I'd like to switch to ed25519, but I'm having some trouble getting Rekor to accept hashedrekord entries for ed25519 signatures.

cc @alex

@woodruffw
sign: switch to P-256
09d438c 
This is faster than P-384, is well-supported, and is well within
security margins.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw added the component:signing Core signing functionality label May 31, 2023
@woodruffw woodruffw requested review from di and haydentherapper May 31, 2023 15:13
@woodruffw woodruffw self-assigned this May 31, 2023
haydentherapper
haydentherapper previously approved these changes May 31, 2023
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rekor doesn’t support ed25519 for hashedrekord because it requires the preimage, not the hash. See sigstore/rekor#1325 for a fix, haven’t had a chance to double check that’ll work.

@woodruffw
Copy link
Member Author

Rekor doesn’t support ed25519 for hashedrekord because it requires the preimage, not the hash. See sigstore/rekor#1325 for a fix, haven’t had a chance to double check that’ll work.

Cool, thanks! I think the Python client will be blocked on ed25519-ph anyways due to Cryptography not supporting it (in part because OpenSSL in turn doesn't).

@woodruffw woodruffw enabled auto-merge (squash) May 31, 2023 20:16
@woodruffw
CHANGELOG: record changes
3364410 
Signed-off-by: William Woodruff <william@trailofbits.com>
di
di previously approved these changes Jun 5, 2023
View reviewed changes
woodruffw added 2 commits June 5, 2023 20:24
@woodruffw
Merge branch 'main' into ww/p256
61984bd
@woodruffw
Merge branch 'main' into ww/p256
af22ac0 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw requested a review from di June 6, 2023 15:13
@woodruffw woodruffw merged commit 10b9b1b into main Jun 7, 2023
@woodruffw woodruffw deleted the ww/p256 branch June 7, 2023 20:46
@woodruffw woodruffw mentioned this pull request Jun 7, 2023
Merged
lcordoui pushed a commit to lcordoui/sigstore-python that referenced this pull request Jun 11, 2023
@woodruffw
sign: switch to P-256 (sigstore#662)
920f381 
This is faster than P-384, is well-supported, and is well within
security margins.

Signed-off-by: William Woodruff <william@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@haydentherapper haydentherapper haydentherapper left review comments

Assignees

@woodruffw woodruffw

Labels
component:signing Core signing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @di @haydentherapper