Skip to content

Clean up verified time handling #1489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 6, 2025
Merged

Clean up verified time handling #1489

merged 3 commits into from
Aug 6, 2025
+47 −23

Conversation

jku
Copy link
Member

@jku jku commented Jul 30, 2025

DRAFT While I think about it -- there's a few ways to handle this, not sure this is right.

Try to handle TSA timestamps and rekor v1 integrated time in a sensible manner:

  • no special cases for when TSA timestamps are present
  • require one verified time by default
  • Only allow integrated time to be a verified time if entry is from rekor v1
  • VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times", not just TSA timestamps
  • Tests use a rekor v1 bundle but expect it to be invalid if the timestamp is invalid -- but the integrated time is enough. Fix this by monkeypatching VERIFY_TIMESTAMP_THRESHOLD

Fixes #1488.

This would be back portable to make 3.x branch be able to verify newer bundles (that contain an "extra" TSA timestamp)

@jku
Clean verified time handling
f638e6d 
Try to handle TSA timestamps and rekor v1 integrated time in a sensible
manner:
* no special cases for when TSA timestamps are present
* require one verified time by default
* Only allow integrated time to be a verified time if entry is from rekor v1
* VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times",
  not just TSA timestamps
* Tests use a rekor v1 bundle but expect it to be invalid if the
  timestamp is invalid -- but the integrated time is
  enough. Fix this by monkeypatching VERIFY_TIMESTAMP_THRESHOLD

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku force-pushed the cleanup-verified-time branch from 60b5906 to f638e6d Compare July 30, 2025 13:47
@woodruffw
Copy link
Member

Thanks for poking at this @jku! Let me know when I should do a review.

  • VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times", not just TSA timestamps

Perhaps we could make it SIGNED_TIMESTAMP_THRESHOLD to make it clear that the check is now (correctly) more generic?

This would be back portable to make 3.x branch be able to verify newer bundles (that contain an "extra" TSA timestamp)

Yeah, I think that would be ideal!

@jku jku marked this pull request as draft July 30, 2025 18:09
@jku
verify: Rename VERIFY_TIMESTAMP_THRESHOLD
99ef4b8 
VERIFIED_TIME_THRESHOLD makes more sense since integrated time is also
in this threshold.

Strictly speaking this is an API change but since the meaning
has (slightly) changed already that makes sense.

Signed-off-by: Jussi Kukkonen <[email protected]>
jku
jku commented Aug 5, 2025
View reviewed changes
sigstore/verify/verifier.py
Comment on lines +228 to +229
kv = bundle.log_entry._kind_version
if not (kv.kind in ["dsse", "hashedrekord"] and kv.version == "0.0.1"):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check will not work when backported to 3.x (as log_entry does not have kindversion there) but the check can be removed there -- only 0.0.1 versions are supported anyway

@jku
Copy link
Member Author

jku commented Aug 5, 2025

  • VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times", not just TSA timestamps

Perhaps we could make it SIGNED_TIMESTAMP_THRESHOLD to make it clear that the check is now (correctly) more generic?

I originally avoided this thinking about the potential backport and the fact that technically this is API... but I think I agree with you:

  • the semantics are already changing, better change the name as well
  • this is only technically part API, in reality it's more a marker for "this is where you would plug in timestamp policy management if it existed"

@jku
Copy link
Member Author

jku commented Aug 5, 2025

This should be ready.

It's backportable to 3.x (with the small caveat mentioned in a code comment) and that makes bundles created with current main using --rekor-version 1 (#1471) verifiable with a 3.x client.

@jku jku marked this pull request as ready for review August 5, 2025 10:28
@jku jku requested a review from woodruffw August 5, 2025 10:28
woodruffw
woodruffw approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @jku!

How do you want to do the backport here? I figure it probably makes sense to land before #1470.

@jku
Copy link
Member Author

jku commented Aug 6, 2025

How do you want to do the backport here? I figure it probably makes sense to land before #1470.

Thanks, I'll merge this now. I'll make the backport a new PR today/tomorrow

@jku jku merged commit 7184eab into sigstore:main Aug 6, 2025
23 checks passed
jku added a commit to jku/sigstore-python that referenced this pull request Aug 6, 2025
@jku
Clean up verified time handling (sigstore#1489)
600c5fe 
* Clean verified time handling

Try to handle TSA timestamps and rekor v1 integrated time in a sensible
manner:
* no special cases for when TSA timestamps are present
* require one verified time by default
* Only allow integrated time to be a verified time if entry is from rekor v1
* VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times",
  not just TSA timestamps
* Tests use a rekor v1 bundle but expect it to be invalid if the
  timestamp is invalid -- but the integrated time is
  enough. Fix this by monkeypatching VERIFY_TIMESTAMP_THRESHOLD

Signed-off-by: Jussi Kukkonen <[email protected]>

* verify: Rename VERIFY_TIMESTAMP_THRESHOLD

VERIFIED_TIME_THRESHOLD makes more sense since integrated time is also
in this threshold.

Strictly speaking this is an API change but since the meaning
has (slightly) changed already that makes sense.

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku mentioned this pull request Aug 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make timestamp/established time policy enforcement clearer
2 participants
@jku @woodruffw