-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Retrieve CTFE signing key via TUF #25
Comments
Now that we're including an intermediate key, this should also include that as well. |
Hi, we are a small team (@wxjdsr, @vcharapa) that is working with professor Santiago (@SantiagoTorres) on fixing this issue. |
Cool! Please let me or one of the other maintainers know if there's something we can do to help. |
👋 python-tuf maintainer and sigstore/root-signing contributor here. I posted a message on the #python Slack channel a few weeks back about some WIP changes I have to implement the certificate update workflow in python-sigstore. You can see my WIP branch here: https://github.com/joshuagl/sigstore-python/commits/joshuagl/tuf Apologies for not posting about that work here, I didn't find this issue when I tried searching for something about the TUF workflow 🤦 It would be cool to collaborate on this, or have your work build on top of mine, @wxjdsr and @vcharapa? |
Cool. I think we can collaborate on this. |
Great! Let me know how you want to proceed. Given timezone differences, if you want to build on my existing work (or even start afresh with that for inspiration) I'd be OK with that. Just want to make sure we aren't duplicating efforts, so please let me know how you would like to proceed :-) |
Sorry for late reply. |
Awesome, look forward to seeing your changes. I'd be more than willing to collaborate in any way that is useful for you and your team. Feel free to ping me on Sigstore Slack (I'm in the #python channel). If you look at the branch I linked to above (https://github.com/joshuagl/sigstore-python/commits/joshuagl/tuf), you can see my WIP changes include initial retrieval of the TUF metadata and changes to access the certificates from a directory the TUF client fetches to, rather than accessing the bundled certificates using resourcelib (see joshuagl@e343366). What's next is adapting to the pending v5 root-signing changes in sigstore/root-signing#430 where, instead of fetching a hard-coded set of targets, each of the certificates listed in the Targets metadata have additional metadata in the For CTFE certificates we can query the metadata to retrieve only the targets in the which have |
While this will work currently for all top-level targets, we're also adding targets to folders named by their usage, so all targets under |
Thanks for chiming in @asraa! To be clear, are we recommending targets are searched by delegation path not by the usage field in custom? |
Searched by path (not necessarily delegation path): for top-level targets you can do either, but for other targets, we can't necessarily trust their usage field; we only trust that they were designated the correct delegation paths. (e.g. should a fulcio delegation be allowed to write to Technically for this root it's moot and the same since there are only top-level targets, but supporting based on paths would be stable going forward forever. |
Leaving a couple of notes:
|
Speaking of this: the best way forward is probably to keep Sigstore TUF root with only a top-level targets, where we CAN do path filtering because TUF clients can expose the top-level targets list. Then when we add delegations, we can view that as a new feature using one of the suggestions in the doc: I particularly like the well-known path location listing the targets. |
Just wanted to make sure I understand the conclusion reached here: when sigstore-python adds TUF support, should we discover the CT key(s) via their custom metadata, their filename, or some other mechanism? |
Since Target Discovery/endpoint to retrieve by usage is still "in flux", I think the simplest (and most secure) would be to rely on their filenames: IF we do update the target names, it will be at a point in time where we have this discovery piece laid out, and you could sub @joshuagl also has sigstore-python staged for our pre-submits when there's integration to make sure we won't break you before a TUF update. |
My WIP patches have the known cert filenames hard coded and just retrieve those after refreshing TUF metadata. I can pick up work on those patches after KubeCon next week, or hand-off to another interested party. Let's assign this issue so we know who's working on it? |
@wxjdsr/@vcharapa/@SantiagoTorres should that be one of you? Haven't heard from you on this issue in a while. |
Yes, we are working on it. |
I've assigned this issue to @wxjdsr. |
Let me or @tetsuo-cpp know if there's any help we can provide! |
For googleability, in older clients a missing key will manifest as a
and the solution is to upgrade to the latest version of the client with |
I plan to spend a bit of time on this this week: will update in a few days |
Hi, I'll be picking up the code that @wxjdsr sketched out. Should we submit a draft PR with their code or should I just finalize it and send it off in, say this weekend? |
@SantiagoTorres either works for us! A draft PR would help us make sure it meshes with our stabilization/1.0 plans, but whenever you feel it's ready. (If you have limited bandwidth to finalize it, @jku or I could take it over from the draft as well.) |
A bit more detail on this: this is included as a prerequisite for our 1.0 release which we're hoping to make before EOY. |
I'll leave some initial comments after just reading the code (I'm happy to work on this myself but I'm writing these down so A) it doesn't have to be me B) as reminder to myself):
|
Where is the code 😅? I don't see it on a PR. Your comments all sound reasonable (caveat being that I haven't reviewed it myself) -- in particular I agree completely that the Re: |
I think Jussi reviewed @joshuagl's WIP here: main...joshuagl:sigstore-python:joshuagl/tuf |
fair point. I was looking at joshuas and wxjdsr's branches (latter is on top of former). Just to be clear: no-one asked for a review on those but I just needed to get a feel for the current situation... https://github.com/wxjdsr/sigstore-python/commits/wxjdsr/tuf |
FWIW, I agree with your assessment. I think we could split some if this into separate stuff. I was mostly going to do some cherry picking on @wxjdsr 's branch this weekend in hopes to getting some early progress in |
Some notes on configuration:
|
This would be nice to have! I assume this is a standards topic, right?
Agreed. |
I'll report some results tomorrow: I've been playing with some potential changes today and expect I'll have something reasonable running tomorrow. |
Thanks a ton! Let me and @tetsuo-cpp know if we can help in any way. |
Okay, status update for https://github.com/jku/sigstore-python/commits/tuf-refactor (diff):
|
on staging: As it really looks like staging keys are not available from any TUF repo, I've disabled TUF for staging now: so TUF gets used:
|
I was completely incorrect: https://storage.googleapis.com/tuf-root-staging -- I am testing this right now |
If I'm understanding correctly, that leaves just the Fulcio certs, right? I see that they're at least hosted in the staging TUF repo, so we could do that as a follow-up 🙂 |
oh I'm on it already now that staging seems doable :) Fulcio should be supported now. I'm still getting a verify failure with |
At the moment, we've decided to check in the CTFE public key and use it to verify SCTs. The way this should really work is that we should check in the root key (
root.json
) and use it to download the CTFE key via TUF.The text was updated successfully, but these errors were encountered: