Support non-Sigstore TSAs #2704
Labels
enhancement
New feature or request
Comments
|
RFC 3161 TSA's have a required API - shouldn't cosign be using that? That way it'd be compatible with all RFC 3161 TSA's. I think there were some specifics of the sigstore's TSA API, but maybe cosign should implement a TSA client from the base API in the spec? |
|
Yea, you're right, there isn't a specification for standardizing the API path, but there is for what the TSA should accept (a timestamp query). I agree, we can add a TSA client that fetches a TSR based on a TSQ and a provided path (FreeTSA uses |
haydentherapper
changed the title
haydentherapper
added a commit
to haydentherapper/cosign
that referenced
this issue
Feb 10, 2023
This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp) Fixes sigstore#2704 Signed-off-by: Hayden Blauzvern <[email protected]>
priyawadhwa
pushed a commit
that referenced
this issue
Feb 16, 2023
* Support non-Sigstore TSA requests This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp) Fixes #2704 Signed-off-by: Hayden Blauzvern <[email protected]> * Address comments Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
dmitris
pushed a commit
to dmitris/cosign
that referenced
this issue
Mar 24, 2023
* Support non-Sigstore TSA requests This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp) Fixes sigstore#2704 Signed-off-by: Hayden Blauzvern <[email protected]> * Address comments Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The sigstore TSA implements an API to fetch timestamps, as does any other public TSA. Every API uses different paths to request timestamps, but all should conform to the same API structure, accepting timestamp queries and returning timestamp responses. We should support providing a path (
timestamp-url) not to the sigstore TSA instance, but instead to the complete path to fetch a TSR (e.g.<sigstoretsapath.com>/api/v1/timestamp, orhttps://freetsa.org/tsr, orhttp://timestamp.digicert.com)This means using a different TSA client than the sigstore TSA client, which is only useful for fetching timestamps from a service that has the same API paths as the sigstore TSA.
Ignore everything below, left as an unnecessary alternative
For users that want to leverage a TSA that uses a different API than the sigstore TSA, we should support attaching a signed timestamp after artifact signing.
For container signing, UX would look something like:
--datashould be the signature)Verification with a signed timestamp should then work without any modification, but this should be confirmed.
For blob signing, during verification, simply pass the signed timestamp you fetched from a trusted TSA after signing with
--rfc3161-timestamp. The one caveat is it must be crafted as a [struct]cosign/pkg/cosign/bundle/tsa.go
Lines 18 to 24 in a84600e
The text was updated successfully, but these errors were encountered: