Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Specify sha256 in TSA request #1373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 9, 2025
Merged

Specify sha256 in TSA request #1373

merged 8 commits into from
May 9, 2025
+17 −1

Conversation

ramonpetgrave64
Copy link
Contributor

@ramonpetgrave64 ramonpetgrave64 commented May 8, 2025
edited
Loading

Client support for Rekor V2: sigstore-python

Summary

Resolves #1372

Makes the TSA request specify sha256 for the message digest, since verification currently assumes sha256. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

Release Note

  • TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.

Documentation

@ramonpetgrave64
request timestamp with sha256
d3a4bf2 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
changelog
0bc24c2 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
Merge branch 'main' into tsa-verify-sha
89a323c 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
backling
2fac58e 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
correct backlink
3b10d01 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64 ramonpetgrave64 changed the title Tsa verify sha Specify sha256 in TSA request May 8, 2025
@ramonpetgrave64
Copy link
Contributor Author

@DarkaMaul

@jku
Copy link
Member

jku commented May 9, 2025

Makes the TSA request specify sha256 for the message digest, since verification currently assumes sha256.

I mentioned this in the issue but for completeness will repeat: I think we should fix verification directly since we can't just support timestamps made by sigstore-python so can't enforce which algorithms we will see. trailofbits/rfc3161-client#144 may be something usable?

@ramonpetgrave64
Copy link
Contributor Author

@jku I agree. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

@jku
Copy link
Member

jku commented May 9, 2025

@jku I agree. Verification shouldn't assume any specific algorithm, but I think for signing requests this library should specify an algorithm, for the sake of predictability.

Oh yeah that is a better reason for this PR than "verification currently assumes sha256". SGTM.

@jku
Copy link
Member

jku commented May 9, 2025

/gcbrun

jku
jku approved these changes May 9, 2025
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, we should be choosing the algorithm explicitly when creating a timestamp. SHA-256 sounds fine to me and we can always bump that up (preferably after verification is ok with it).

I'll file a new issue for the verification hash being hard coded so we don't forget

@jku jku merged commit 572ccac into sigstore:main May 9, 2025
23 checks passed
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request May 7, 2025
Open
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku jku approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TSA request message digest defaults to sha256
2 participants
@ramonpetgrave64 @jku