Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #3236, disable SCT checking for a cosign verification when usin… #3237

Merged
merged 2 commits into from
Sep 12, 2023

Conversation

jkjell
Copy link
Contributor

@jkjell jkjell commented Sep 12, 2023

…g a public key

Summary

This changes remove the Signed Certificate Timestamp checking when providing a public key to cosign verify. One of the issues SCT verification causes is the retrieval of its public keys from the TUF CDN by default. This breaks verification in disconnected or restricted environment. SCT is not necessary to validate a key pair.

Release Note

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Could you also make this change in the other verify* files, like

, ,

@codecov
Copy link

codecov bot commented Sep 12, 2023

Codecov Report

Merging #3237 (7eef302) into main (86252aa) will increase coverage by 0.01%.
The diff coverage is 40.00%.

@@            Coverage Diff             @@
##             main    #3237      +/-   ##
==========================================
+ Coverage   30.35%   30.37%   +0.01%     
==========================================
  Files         155      155              
  Lines        9834     9835       +1     
==========================================
+ Hits         2985     2987       +2     
+ Misses       6403     6402       -1     
  Partials      446      446              
Files Changed Coverage Δ
cmd/cosign/cli/verify/verify.go 21.38% <0.00%> (-0.07%) ⬇️
cmd/cosign/cli/verify/verify_attestation.go 3.33% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go 49.78% <100.00%> (+0.86%) ⬆️
cmd/cosign/cli/verify/verify_blob_attestation.go 33.17% <100.00%> (ø)

@haydentherapper haydentherapper enabled auto-merge (squash) September 12, 2023 21:20
@haydentherapper haydentherapper merged commit 1ee8bf9 into sigstore:main Sep 12, 2023
28 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Sep 12, 2023
lance pushed a commit to securesign/cosign that referenced this pull request Sep 25, 2023
…hen usin… (sigstore#3237)

* Fixes sigstore#3236, disable SCT checking for a cosign verification when using a public key

Signed-off-by: John Kjell <[email protected]>

* Update additional verify functionality

Signed-off-by: John Kjell <[email protected]>

---------

Signed-off-by: John Kjell <[email protected]>
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Signed Certificate Timestamp with Long-lived Keys
3 participants