Skip to content

Fix signing and verification with ed25519 keys with bundles and Rekor #4414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix signing and verification with ed25519 keys with bundles and Rekor #4414

wants to merge 1 commit into from

Conversation

haydentherapper
Copy link
Contributor

With the recent changes we made to use sigstore-go rather than Cosign for signing and verification, ed25519 managed key support broke, because we were incorrectly specifying ed25519ph for dsse Rekor entries and not specifying ed25519ph for hashedrekord entries. This PR correctly sets load options for when signing and verifying a blob (using the prehash variant) and when signing/verifying attestations (using the pure variant). This also fixes a bug where the SignerVerifier Keypair didn't handle crypto.Hash(0) for ed25519, which specifies no hash when signing.

This has been tested with sign/verify, sign-blob/verify-blob, attest/verify-attestation, and attest-blob/verify-blob-attestation.

Summary

Release Note

Documentation

@haydentherapper haydentherapper requested a review from a team as a code owner September 16, 2025 23:38
@codecov Codecov
Copy link

codecov bot commented Sep 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 34.24%. Comparing base (2ef6022) to head (bc9c6d2).
⚠️ Report is 524 commits behind head on main.

Files with missing lines Patch % Lines
pkg/signature/keys.go 50.00% 7 Missing ⚠️
pkg/cosign/bundle/sign.go 0.00% 5 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 4 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go 0.00% 4 Missing ⚠️
cmd/cosign/cli/sign/sign.go 0.00% 4 Missing ⚠️
cmd/cosign/cli/verify/verify.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/sign/sign_blob.go 0.00% 1 Missing ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 83.33% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4414      +/-   ##
==========================================
- Coverage   40.10%   34.24%   -5.87%     
==========================================
  Files         155      218      +63     
  Lines       10044    15638    +5594     
==========================================
+ Hits         4028     5355    +1327     
- Misses       5530     9591    +4061     
- Partials      486      692     +206

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@haydentherapper
Copy link
Contributor Author 

head -c 128 < /dev/urandom > artifact
cosign sign-blob --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --bundle artifact.sigstore.json --yes --key cosign.key artifact
cosign verify-blob --new-bundle-format --trusted-root trusted_root.json --bundle artifact.sigstore.json --key cosign.pub artifact

cosign attest-blob --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --statement intoto.txt --bundle intoto.sigstore.json --yes --key cosign.key
cosign verify-blob-attestation --bundle="intoto.sigstore.json" --key=cosign.pub --trusted-root trusted_root.json --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde8" --digestAlg="sha256"

cosign sign --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --yes --key cosign.key localhost:5050/busybox:latest
cosign verify --new-bundle-format --key cosign.pub  --trusted-root trusted_root.json localhost:5050/busybox:latest

cosign attest --predicate predicate.json --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --yes --key cosign.key localhost:5050/busybox:latest
cosign verify-attestation --new-bundle-format --key cosign.pub  --trusted-root trusted_root.json localhost:5050/busybox:latest

ret2libc
ret2libc approved these changes Sep 17, 2025
View reviewed changes
Copy link
Contributor

@ret2libc ret2libc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@steiza
Copy link
Member

steiza commented Sep 17, 2025

I'm so confused 😅 so help me check my understanding.

Fulcio does not support ed25519ph, but Rekor does. And if someone is using a key they manage (instead of Fulcio), we want to support ed25519ph and use that with Rekor as well.

In #4386 we removed some ed25519ph support, but did so in a way that broke "pure" ed25519 for self-managed keys. So we still aren't supporting ed25519ph with Fulcio, but we are fixing ed25519 for self-managed keys, and you can also use a self-managed ed25519ph key with Rekor. Did I get that right?

cmurphy
cmurphy reviewed Sep 17, 2025
View reviewed changes
@haydentherapper
Copy link
Contributor Author

haydentherapper commented Sep 18, 2025
edited
Loading

Thanks y'all for the comments. I was a little preemptive putting this up, I need to fix e2e tests (they're failing because when the tlog isn't used, we use ed25519 - the prehash variant is only for hashedrekord).

@steiza, correct. This is to support self-managed ed25519 keys. A summary of what's supported and what's not:

Supported:

  • ed25519 key, signing an artifact
  • ed25519 key for an artifact + Rekor (ed25519ph + hashedrekord) <-- This is the only time the prehash variant is used
  • ed25519 key signing an attestation
  • ed25519 key for an attestation + Rekor (ed25519 + dsse)
  • For completeness, ECDSA/RSA + Fulcio (or without Fulcio) + Rekor (or without Rekor) for artifacts and DSSEs

Maybe supported:

  • ed25519 key signing an attestation + Fulcio + Rekor (ed25519 + dsse) - This should be possible but we might need to update how the SignerVerifier is loaded. I'll test this out.

Not supported:

  • ed25519 key + Fulcio + Rekor (ed25519ph + fulcio + hashedrekord, since Fulcio doesn't know how to verify ed25519ph signatures)

@haydentherapper
Fix signing and verification with ed25519 keys with bundles and Rekor
bc9c6d2 
With the recent changes we made to use sigstore-go rather than Cosign
for signing and verification, ed25519 managed key support broke, because
we were incorrectly specifying ed25519ph for dsse Rekor entries and not
specifying ed25519ph for hashedrekord entries. This PR correctly sets
load options for when signing and verifying a blob (using the prehash
variant) and when signing/verifying attestations (using the pure
variant). This also fixes a bug where the SignerVerifier Keypair didn't
handle crypto.Hash(0) for ed25519, which specifies no hash when signing.

This has been tested with sign/verify, sign-blob/verify-blob,
attest/verify-attestation, and attest-blob/verify-blob-attestation.

Signed-off-by: Hayden <[email protected]>
@haydentherapper haydentherapper marked this pull request as draft September 19, 2025 02:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmurphy cmurphy cmurphy left review comments

+1 more reviewer

@ret2libc ret2libc ret2libc approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@haydentherapper @steiza @ret2libc @cmurphy