Use an in memory timestamping key #402

asraa · 2021-07-30T17:06:22Z

Signed-off-by: Asra Ali asraa@google.com

Generates an in-memory timestamping key. The rekor signer creates a timestamping certificate for this key.
If a timestamp_chain is loaded in, then this is used for the timestamping chain. It's leaf must be a certificate for the rekor signer.
Otherwise, a self-signed in-memory CA is created.

Tested with both in-memory signer (no chain) and a timestamp_chain loaded in authorizing the rekor signer as a CA to issue timestamping certificates

Signed-off-by: Asra Ali <asraa@google.com>

asraa · 2021-07-30T17:06:30Z

pkg/signer/memory.go

Signed-off-by: Asra Ali <asraa@google.com>

asraa · 2021-07-30T17:41:06Z

Thanks for the check! Confirmed it work in the cases:

Load up a gcpkms signer and a timestamping cert chain -> uses the signer to create a TSA cert, and verifies with the chain provided (the cert chain must authorize the signer to be a CA)
Load up a gcpkms signer and no timestamping cert chain -> creates an in-memory root CA which creates the TSA cert
Load up an in-memory signer and no timestamping cert chain -> creates an in-memory root CA which creates the TSA cert
If you load up an in-memory signer and a timestamping cert chain -> you will fail on start up because it won't verify the chain

use an in memory timestamping key

39379a3

Signed-off-by: Asra Ali <asraa@google.com>

dlorenc reviewed Jul 30, 2021

View reviewed changes

pkg/signer/memory.go Outdated Show resolved Hide resolved

pkg/signer/memory.go Outdated Show resolved Hide resolved

address comments

f22e735

Signed-off-by: Asra Ali <asraa@google.com>

dlorenc approved these changes Jul 30, 2021

View reviewed changes

dlorenc merged commit cfb395d into sigstore:main Jul 30, 2021

cpanato added this to the v0.4.0 milestone Aug 4, 2021

cpanato modified the milestones: v0.4.0, v1.0.0 Aug 25, 2021

Provide feedback