Skip to content

Checkpoint spec compliance: Mismatched origin string with signature #2069

Description

@Hayden-IO

Context

Even though Rekor looks like a single log, it's backed by multiple trees, so that we can periodically shard the log to prevent indefinite growth. When verifying inclusion proofs, you use a tree-specific index for example. When verifying checkpoints, you use the tree size, not the total log size.

Problem

Here's the current checkpoint:

rekor.sigstore.dev - 2605736670972794746
79317123
Kmb+leehFHcnu5BxZCMqengfUR/yhOQuNcDE7kzmb94=

— rekor.sigstore.dev wNI9ajBFAiEAlMvpqFXBNC2hHHclvkSF3F/IwJWifmpJbqFSlHeur/kCIAiLLyjtqi/UhXl/PgIgnsFTP34doSOUYE00BXeS+GH1

Note the first line, rekor.sigstore.dev - 2605736670972794746, is the unique identifier for the tree. It appends the tree ID 2605736670972794746 to make the checkpoint unique.

Each signature line should start with the identifier for either the log or the witness that signs it. In this case, it's rekor.sigstore.dev, which is only the hostname, not the log origin. The first signature's identifier should match the origin string.

I'm surprised this was never noticed actually, because the log is being monitored by the omniwitness project. I guess the signature origin was never compared to the checkpoint origin.

Proposal

Change the identifier on the signature line to match the origin string.

Clients

I think we're good to make this change without any impact to clients. Looking over each client:

While out of scope for this issue, I wanted to mention that the next time we shard, we will plan to change the origin string to be more URL like as noted in #1450. Clients should not make any assumptions on the format of the string. I don't see any assumptions currently, so we're good to go.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions