Implement Identity-based Transparency Logging#828
Draft
Hayden-IO wants to merge 2 commits into
Draft
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #828 +/- ##
==========================================
- Coverage 27.97% 27.90% -0.08%
==========================================
Files 61 67 +6
Lines 3199 3587 +388
==========================================
+ Hits 895 1001 +106
- Misses 2202 2466 +264
- Partials 102 120 +18 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
fb393e2 to
3097ca1
Compare
Hayden-IO
commented
Jun 11, 2026
3097ca1 to
0ce74d5
Compare
Hayden-IO
commented
Jun 11, 2026
bbfa687 to
7c45f24
Compare
Hayden-IO
commented
Jun 17, 2026
65fd9bf to
2b2a8bd
Compare
loosebazooka
reviewed
Jul 8, 2026
loosebazooka
left a comment
Member
There was a problem hiding this comment.
Could this maybe be split up into
- empty server stub
- createEntry implementation?
Comment on lines
+91
to
+100
| if r, ok := server.(pb.RekorServer); ok { | ||
| pb.RegisterRekorServer(s, r) | ||
| } | ||
| if i, ok := server.(pb.IdentityRekorServer); ok { | ||
| pb.RegisterIdentityRekorServer(s, i) | ||
| } | ||
| if h, ok := server.(grpc_health_v1.HealthServer); ok { | ||
| grpc_health_v1.RegisterHealthServer(s, h) | ||
| } | ||
|
|
Member
There was a problem hiding this comment.
Type checking occurs before this call, but it appears we're not covering the full scope of the any on the function signature. Does it make sense to have some redundant runtime check here (or moving the other check from serve.go here) where the any is actually consumed.
cmurphy
reviewed
Jul 10, 2026
4a5410b to
9a1d5b7
Compare
Contributor
Author
|
Splitting this into two PRs, #871 with the API and empty server stub first. |
This change introduces a new log entry format and dedicated server backend to support Identity-based Transparency Logging as specified in [c2sp.org/identity-transparency](C2SP/C2SP#244). Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
9a1d5b7 to
b681160
Compare
This change provides the full implementation and tests for the Identity-based Transparency Logging Server. This change supports the new entry type, with only Ed25519 signatures as credentials. This will be proceeded by support for OIDC tokens as credentials, and ML-DSA signatures as credentials. Partially implements sigstore#827, with the remaining PRs to support ML-DSA and an additional GCP backend for PGI deployment. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
b681160 to
2299900
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change provides the full implementation and tests for the Identity-based Transparency Logging Server.
This change supports the new entry type, with only Ed25519 signatures as credentials. This will be proceeded by support for OIDC tokens as credentials, and ML-DSA signatures as credentials.
Partially implements #827, with the remaining PRs to support ML-DSA and an additional GCP backend for PGI deployment.
Coding assisted with Gemini, reviewed entirely by me.