Skip to content

feat: Add SigningConfig support and V2 bundle fixes #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wolfv merged 3 commits into from
Dec 1, 2025
Merged

feat: Add SigningConfig support and V2 bundle fixes #6

wolfv merged 3 commits into from
Dec 1, 2025

Conversation

@wolfv
Copy link
Member

@wolfv wolfv commented Dec 1, 2025
edited
Loading

Summary

This PR adds support for Sigstore's SigningConfig format and fixes V2 bundle compatibility with cosign.

Changes

SigningConfig Support

  • Added SigningConfig type to parse signing_config.v0.2.json from TUF
  • Implements dynamic service URL discovery for Fulcio, Rekor (V1/V2), TSA, and OIDC providers
  • Added SigningConfig::production() and SigningConfig::staging() for embedded configs
  • Added SigningConfig::from_tuf() and SigningConfig::from_tuf_staging() for TUF-fetched configs
  • Integrated into SigningContext via SigningContext::with_config()

TUF Offline Mode

  • Added offline mode support to TufConfig that:
    1. Checks local TUF cache for previously downloaded targets
    2. Falls back to embedded data if cache is unavailable
    3. Makes no network requests
  • Useful for air-gapped environments or when TUF servers are unreachable

V2 Bundle Fixes

  • Fixed integratedTime serialization for V2 bundles - now correctly omitted instead of being set to "0"
  • V2 entries use RFC3161 timestamps, not integratedTime
  • Bundles now verify correctly with cosign verify-blob --use-signed-timestamps

Rekor V2 Improvements

  • Fixed staging V2 URL (https://log2025-alpha2.rekor.sigstage.dev)
  • Updated examples to use SigningConfig for URL discovery

Files Changed

File Description
sigstore-trust-root/src/signing_config.rs New SigningConfig type and parsing
sigstore-trust-root/src/tuf.rs TUF client with offline mode support
sigstore-trust-root/repository/*.json Embedded signing configs
sigstore-bundle/src/builder.rs V2 integratedTime fix
sigstore-sign/src/sign.rs SigningContext integration
sigstore-sign/examples/sign_blob.rs Use SigningConfig
sigstore-rekor/src/entry.rs Fixed staging V2 URL

Testing

# Sign with V2 API
cargo run -p sigstore-sign --example sign_blob -- README.md -o bundle.sigstore.json --v2

# Verify with our verifier
cargo run -p sigstore-verify --example verify_bundle -- README.md bundle.sigstore.json

# Verify with cosign (V2 requires --use-signed-timestamps)
cosign verify-blob --bundle bundle.sigstore.json \
    --certificate-identity <email> \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --use-signed-timestamps \
    README.md

Notes

  • V2 verification with cosign requires --use-signed-timestamps flag because V2 bundles use RFC3161 timestamps instead of integratedTime

@wolfv wolfv changed the title feat: full rekor v2 support feat: Add SigningConfig support and V2 bundle fixes Dec 1, 2025
@wolfv wolfv merged commit 51049c2 into main Dec 1, 2025
7 checks passed
This was referenced Dec 1, 2025
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wolfv