Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] verify-blob & rekor shards: search all shards for proposed entries #2294

Closed
asraa opened this issue Sep 28, 2022 · 1 comment · Fixed by #2297
Closed

[bug] verify-blob & rekor shards: search all shards for proposed entries #2294

asraa opened this issue Sep 28, 2022 · 1 comment · Fixed by #2297
Labels
bug Something isn't working

Comments

@asraa
Copy link
Contributor

asraa commented Sep 28, 2022

Description

fluxcd/source-controller#899 (comment)

After rekor sharded, the current Rekor tree is moved to a new one.

When verifying blobs, we search the Rekor log proposed entries:

cosign/pkg/cosign/tlog.go

Line 392 in 727e3e1

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (entry *models.LogEntryAnon, err error) {

and expect that exactly one entry was retrieved.

Rekor CURRENTLY only searches the CURRENT tree for an entry, and will fail if the leaf is not present on the current log. That is causing the flux verify-blob failure after the shard rotation:

could not find entry in tlog: signature not found in transparency logError: verifying blob [./checksums.txt]: signature not found in transparency log

The entry did not exist on the current log.

As a fix (TBD), rekor will search ALL previous shards and may return more than one search entry. Because of this, the following changes need to happen in cosign:

  1. Allow multiple entries returned from SearchLogQuery
  2. In the cosign case, we need to start using a function like tlogFindEarliestEntry to replace

    cosign/cmd/cosign/cli/verify/verify_blob.go

    Line 410 in 727e3e1

    func tlogFindEntry(ctx context.Context, client *client.Rekor,
    : the earliest entry with the earliest integrated time will always suffice for expiration checks.
  3. In the container case, these funcs also need to be fixed, again, to handle multiple return entries, and selecting the earliest one for the certificate validation.

Note: old clients MAY be OK after the rekor fix: this will only affect users who are verifying blobs (or online lookups for containers) with cosign AND there were duplicate uploads on multiple shards. However, if there were re-uploads or duplicate entries across shards, old clients will break if rekor responds with multiple entries.

cc @haydentherapper @bobcallaway @priyawadhwa @lukehinds @stefanprodan

Version

All
@asraa asraa added the bug Something isn't working label Sep 28, 2022
@asraa
Copy link
Contributor Author

asraa commented Sep 28, 2022

Does anyone have some time to fix? If no one can volunteer I can "promise" my next free time goes to this, but... you know...

@asraa asraa mentioned this issue Sep 28, 2022
Closed
@znewman01 znewman01 mentioned this issue Sep 29, 2022
Closed
@asraa asraa mentioned this issue Sep 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: make tlog entry lookups for online verification shard-aware asraa/cosign
1 participant
@asraa