-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support non-Sigstore TSA requests #2708
Conversation
This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp) Fixes sigstore#2704 Signed-off-by: Hayden Blauzvern <[email protected]>
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #2708 +/- ##
==========================================
+ Coverage 30.15% 30.16% +0.01%
==========================================
Files 146 150 +4
Lines 9363 9438 +75
==========================================
+ Hits 2823 2847 +24
- Misses 6103 6156 +53
+ Partials 437 435 -2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Will test PR in the morning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add tests against these non-sigstore supported TSAs ?
Signed-off-by: Hayden Blauzvern <[email protected]>
Tested with Sigstore TSA:
Tested with FreeTSA:
@hectorj2f I don't think we should add a non-sigstore TSA to the e2e tests because that's adding an external dependency. |
How would we know we didn't break it ? Also, should we document the list of supported non-TSAs ? |
We just send the timestamp query to the timestamp authority, any TSA should work. We are no longer treating the sigstore TSA as different, so if we break something, we'll notice it in the e2e tests. |
I also want to make sure we're not describing the sigstore implementation of a TSA as something special. It's just an server implementation of rfc3161, there should be no differences in the accepted API requests and responses to any TSA implementation. This PR just changes the client so that you have to pass the path to fetch a TSR, whereas previously the sigstore tsa client knew the path. |
Sgtm |
This should be good to merge. |
Yes, let's merge it. We need to change the clients to adapt to these changes :). |
Do we know who's using this? This is just in the 2.0 RC so I assume we only need to update the blog post you published? |
@haydentherapper I was thinking the policy-controller, but the verification isn't affected by this. On the other hand, we use the signing piece in a different component, so whenever we release a new RC, I'll change our client calls. |
Ah, didn't realize it was used there. Would this only affect deployments of policy-controller? I assume there's no hardcoded TSA APIs, no other code should need to be updated |
Bump, should be ready for merging. |
* Support non-Sigstore TSA requests This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp) Fixes sigstore#2704 Signed-off-by: Hayden Blauzvern <[email protected]> * Address comments Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
This changes the client to instead simply exchange a TSQ for a TSR given a URL to the API. This will mean that for clients using timestamping currently, they will need to update their Cosign calls to use the full path (e.g. tsa.sigstore/api/v1/timestamp)
Fixes #2704
Signed-off-by: Hayden Blauzvern [email protected]
Summary
Release Note
Documentation