Skip to content

trust: Fail less hard when unsupported keys are seen #1424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jku merged 1 commit into from
Jun 5, 2025
Merged

trust: Fail less hard when unsupported keys are seen #1424

jku merged 1 commit into from
Jun 5, 2025

Conversation

@jku
Copy link
Member

@jku jku commented Jun 5, 2025
edited
Loading

Currently verification fails immediately if trusted root contains any unsupported keys. I think it makes more sense to warn and continue as it is possible these keys are not required for verification.

Unfortunately I missed this case when I tested the multiple log support in #1350 :(

@jku
Copy link
Member Author

jku commented Jun 5, 2025

I'm thinking of backporting this fix to a 3.6.x branch:

@jku
trust: Fail less hard when unsupported keys are seen
591ede8 
Currently verification fails immediately if trusted root contains
any unsupported keys. I think it makes more sense to warn and continue
as it is possible these keys are not required for verification.

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku force-pushed the fail-softly-on-unsupported-keys branch from 887889c to 591ede8 Compare June 5, 2025 09:56
@jku jku linked an issue Jun 5, 2025 that may be closed by this pull request
current release fails hard if trusted root contains ed25519 #1423
Closed
@jku jku requested a review from woodruffw June 5, 2025 10:14
jku added a commit to jku/sigstore-python that referenced this pull request Jun 5, 2025
@jku
Backport sigstore#1424
2230a07 
Don't fail hard if trusted root contains an unknown key type:
Verification may still succeed so warning is enough.

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku mentioned this pull request Jun 5, 2025
Merged
@jku
Copy link
Member Author

jku commented Jun 5, 2025
edited
Loading

Marking this a draft while I do another test with the (future) staging trusted root

EDIT: Tested, looks good to me

woodruffw
woodruffw approved these changes Jun 5, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @jku!

@woodruffw
Copy link
Member

woodruffw commented Jun 5, 2025

I'm thinking of backporting this fix to a 3.6.x branch:

Sounds good to me -- I see you opened the backport PR, give me a ping on it when it's ready for review 🙂

@woodruffw woodruffw mentioned this pull request Jun 5, 2025
Closed
@jku jku merged commit 5d9b210 into sigstore:main Jun 5, 2025
23 checks passed
jku added a commit that referenced this pull request Jun 6, 2025
@jku
Backport 1424, prepare 3.6.3 release (#1425)
0f88940 
* Backport #1424

Don't fail hard if trusted root contains an unknown key type:
Verification may still succeed so warning is enough.

Signed-off-by: Jussi Kukkonen <[email protected]>

* Prep 3.6.3

This release only contains a small fix for handling of unsupported
keytypes in the trusted root.

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>
jku added a commit to jku/sigstore-python that referenced this pull request Oct 14, 2025
@jku
Backport sigstore#1424
5040e2a 
Fail less hard when unsupported keys are seen

Current trusted root contains keys this client version does not
understand: the keys are not necessary to verify or sign
bundles with rekor v1

Signed-off-by: Jussi Kukkonen <[email protected]>
jku added a commit to jku/sigstore-python that referenced this pull request Oct 14, 2025
@jku
Backport sigstore#1424
ea46408 
Fail less hard when unsupported keys are seen

Current trusted root contains keys this client version does not
understand: the keys are not necessary to verify or sign
bundles with rekor v1

Signed-off-by: Jussi Kukkonen <[email protected]>
jku added a commit that referenced this pull request Oct 24, 2025
@jku @woodruffw
Backport trust root fixes to 3.5.x (#1578)
2a8d5b9 
* Backport: internal/trust: Fix bug in rekor key lookup

Rekor keyring can (and in future will) have multiple keys:
logs not only get sharded but once rekor-tiles is integrated in the
public good instance, there will be two writable logs for a while.

Backport of #1350

Signed-off-by: Jussi Kukkonen <[email protected]>

* Backport #1424

Fail less hard when unsupported keys are seen

Current trusted root contains keys this client version does not
understand: the keys are not necessary to verify or sign
bundles with rekor v1

Signed-off-by: Jussi Kukkonen <[email protected]>

* Backport: ci: fix offline tests on ubuntu-latest

Backport of #1283

Signed-off-by: Jussi Kukkonen <[email protected]>

* Bump 3.5.x series to 3.5.4

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>
Co-authored-by: William Woodruff <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

current release fails hard if trusted root contains ed25519

2 participants

@jku @woodruffw