Compare the Rekor entry body to the artifact

sigstore / sigstore-go

Go library for Sigstore signing and verification

Apache License 2.0

45 stars 21 forks source link

Compare the Rekor entry body to the artifact #177

Open haydentherapper opened 4 months ago

haydentherapper commented 4 months ago

Description

Tracking bug for https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go#L174

This is not absolutely necessary because we do already compare against the signature which should effectively bind the entry to the artifact.

cmurphy commented 3 months ago

This is not absolutely necessary

Was there any more discussion on whether this is worth moving forward with?

I don't think cosign does this, from what I've been able to tell.

haydentherapper commented 3 months ago

IIRC yea, Cosign does not check this as well, it only compares signatures - https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1164-L1188

Signatures are malleable, for example an ECDSA signature can be represented in two ways, so a signature should not be considered unique. In this example though, that doesn't present an issue from what I can tell, if anything malleability would cause a comparison failure.

@woodruffw Did you have any thoughts here?