Bump sigstore-go version #2106
Bump sigstore-go version #2106
Conversation
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
…re-go Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
| @@ -49,7 +49,7 @@ func New(trustedRoot, accessToken, cacheDir string) (*Sigstore, error) { | |||
| return nil, err | |||
| } | |||
| sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verify.WithSignedCertificateTimestamps(1), | |||
| verify.WithTransparencyLog(1), verify.WithOnlineVerification()) | |||
There was a problem hiding this comment.
Is this because the API changed between versions, or is there a different reason for it?
There was a problem hiding this comment.
This one is an API change 👍
There was a problem hiding this comment.
Yea, we've separated requiring a number of transparency log entries from timestamps. Using the new WithObserverTimestamps API states that you require at least one timestamp from any source (the preferred API to use).
| @@ -49,7 +49,7 @@ func New(trustedRoot, accessToken, cacheDir string) (*Sigstore, error) { | |||
| return nil, err | |||
| } | |||
| sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verify.WithSignedCertificateTimestamps(1), | |||
| verify.WithTransparencyLog(1), verify.WithOnlineVerification()) | |||
| verify.WithTransparencyLog(1), verify.WithOnlineVerification(), verify.WithObserverTimestamps(1)) | |||
There was a problem hiding this comment.
Just wondering, what is the need for online verification? Is it that there is no state and bundles aren't persisted?
There was a problem hiding this comment.
@haydentherapper - Currently Minder handles sigstore verification by processing artifact publish events from GitHub - when a signature comes, extract whatever is needed from it (build a v1 bundle, prev. it was using cosign verify) and verify it.
My impression was that we can't avoid the online verification yet since the signature we get is missing the inclusion proof rekor details we should provide in order to use the v2 bundle version(cosign does not store it).
I recall we touched this in the sigstore-go PR about the OCI example, so thus why I defaulted to online verification (ref. comment). At least this was my understanding for it back then, but I'll be happy to revisit and align this to sigstore-go's preferred approach if you have suggestions 💯
There was a problem hiding this comment.
Yep, you’re totally right, forgot this is because it’s using the converted v0.1 bundles.
There was a problem hiding this comment.
Thanks for the input though! 👍 I would be happy to keep minder on par with the latest sigtore-go, i.e. update to the latest bundle version once this is possible, etc.
| @@ -49,7 +49,7 @@ func New(trustedRoot, accessToken, cacheDir string) (*Sigstore, error) { | |||
| return nil, err | |||
| } | |||
| sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verify.WithSignedCertificateTimestamps(1), | |||
| verify.WithTransparencyLog(1), verify.WithOnlineVerification()) | |||
There was a problem hiding this comment.
Yea, we've separated requiring a number of transparency log entries from timestamps. Using the new WithObserverTimestamps API states that you require at least one timestamp from any source (the preferred API to use).
Fixes #2105