sigstore: add a CT keyring, use it for SCT verification #267
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
| pass | ||
|
|
||
|
|
||
| class CTKeyring: |
There was a problem hiding this comment.
Flagging for review: I welcome a better name for this class (and its corresponding exception class) 🙂
|
This is good for an initial review. Key changes:
|
Signed-off-by: William Woodruff <william@trailofbits.com>
sigstore/_internal/ctfe.py
Outdated
| ) | ||
| else: | ||
| # Unreachable. | ||
| raise CTKeyringError("unreachable") |
There was a problem hiding this comment.
nit: Error could be "unsupported key type" to be more descriptive
|
|
||
| def __del__(self) -> None: | ||
| self.session.close() | ||
|
|
||
| @classmethod | ||
| def production(cls) -> RekorClient: | ||
| return cls( | ||
| DEFAULT_REKOR_URL, _DEFAULT_REKOR_ROOT_PUBKEY, _DEFAULT_REKOR_CTFE_PUBKEY | ||
| DEFAULT_REKOR_URL, _DEFAULT_REKOR_ROOT_PUBKEY, CTKeyring.production() |
There was a problem hiding this comment.
Hm, this would require larger changes than should be in this PR, but is there a separate client for CT? The CT log and Rekor are separate logs. The CT log is accessed at ctfe.sigstore.dev/, and while all Sigstore clients don't need to do online verification (since they only verify the SCTs offline), it's separate from rekor. I'd recommend splitting these apart, or at least associated CT with Fulcio rather than Rekor
There was a problem hiding this comment.
Yeah, @asraa brought this up as feedback here: #263 (comment)
I agree that this should be broken out, and I'll do that in a follow-up 🙂
...and add a detailed exception.
WIP; just to get something up.Some TODOs:
--ctfeflag behavior needs to be updated to work with the newCTKeyringAPICloses #263.
Closes #260.