Backport verified time changes #1492
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Clean verified time handling Try to handle TSA timestamps and rekor v1 integrated time in a sensible manner: * no special cases for when TSA timestamps are present * require one verified time by default * Only allow integrated time to be a verified time if entry is from rekor v1 * VERIFY_TIMESTAMP_THRESHOLD now refers to "number of verified times", not just TSA timestamps * Tests use a rekor v1 bundle but expect it to be invalid if the timestamp is invalid -- but the integrated time is enough. Fix this by monkeypatching VERIFY_TIMESTAMP_THRESHOLD Signed-off-by: Jussi Kukkonen <[email protected]> * verify: Rename VERIFY_TIMESTAMP_THRESHOLD VERIFIED_TIME_THRESHOLD makes more sense since integrated time is also in this threshold. Strictly speaking this is an API change but since the meaning has (slightly) changed already that makes sense. Signed-off-by: Jussi Kukkonen <[email protected]> --------- Signed-off-by: Jussi Kukkonen <[email protected]>
This check came with the backport of verified time fix, but it is not useful here since we only support 0.0.1 entry types (and is problematic since the LogEntry does not have the required fields here) Signed-off-by: Jussi Kukkonen <[email protected]>
This test no longer exists in main branch and the expected result has changed (valid_for.end is optional). In 3.6.x we want to keep testing the same thing we used to, so set VERIFIED_TIME_THRESHOLD = 2, meaning both integrated time and timestamp are needed (but expect timestamp to not be used since valid_for.end is not set) Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
woodruffw
approved these changes
Aug 6, 2025
|
Thanks @jku!
Yeah, go for it 🙂 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This backports #1489 into 3.6.x: the point is to make sure that sigstore-python 3.6.x can verify a bundle created by sigstore-python 4.0 (if that bundle contains a rekor v1 entry and an additional timestamp). Currently the verification fails on staging because
This PR changes the last point: integrated time is enough.
I can add the release changes in this PR as well if there's nothing else for 3.6.5