respect tlog-upload flag with TSA

[hectorj2f]

Signed-off-by: Hector Fernandez [email protected]

Summary

--tlog-upload flag was ignored when relying on time-stamping verification. We should allow disabling the tlog entry creation when relying on time-stamping.

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2474 (705d8a1) into main (8fc0c46) will decrease coverage by 0.01%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2474      +/-   ##
==========================================
- Coverage   30.35%   30.34%   -0.02%     
==========================================
  Files         139      139              
  Lines        8466     8469       +3     
==========================================
  Hits         2570     2570              
- Misses       5543     5546       +3     
  Partials      353      353              

Impacted Files	Coverage Δ
cmd/cosign/cli/policy_init.go	1.35% <0.00%> (ø)
cmd/cosign/cli/sign/sign.go	15.34% <0.00%> (-0.13%)	⬇️
cmd/cosign/cli/sign/sign_blob.go	0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[priyawadhwa]

thanks!

[haydentherapper]

Hey @hectorj2f @priyawadhwa, I think we should revert this (or I'll remove it in my new PR).

Getting a timestamp should not affect whether or not you upload a rekor entry. It's not an alternative to signature transparency, it's only an alternative to where the timestamp comes from.

[priyawadhwa]

I disagree, for private artifacts users may not want to store anything in a transparency log and because the artifacts are private they aren't looking for signature transparency. Using a TSA instead of Rekor is a good option in that case. I think it's important to support both cases, and we've made it clear via flags that using a TSA is an insecure option.

[haydentherapper]

They should be setting tlog-upload=false in that case then. Only on verification is there an insecure-* flag, so it's not clear on signing that not uploading to the tlog is fundamentally changing the security model of Sigstore.

[haydentherapper]

Or maybe we have a global private-artifact flag that changes behavior?

I don't think the default should be not uploading to the transparency log however. The defaults must be secure by default, and removing the tlog upload isn't.

[priyawadhwa]

They should be setting tlog-upload=false in that case then.

That sounds good to me, that way it's explicit on sign and then we have insecure on verify. I'm ok with any reasonable combo of flags, my main point was just that the feature should be supported.

[haydentherapper]

Agreed! I see the issue in the previous code, that if keyless=true and tlog-upload=false, we don't respect tlog-upload. I'll submit a fix to always respect tlog-upload, regardless of if a TSA is used. Does that sound good?

[priyawadhwa]

SGTM