-
Notifications
You must be signed in to change notification settings - Fork 58
Add support for ed25519 keys #1377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
LGTM. Getting this tested should be easy... I don't think there is any problem just editing the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm marking "request changes" for the test: let me know if it seems to not be straight forward
@jku I tried to get sigstore-python to generate a ed25519 key for its signing certificate, changed all references from sha256 to sha512, but I still can't get it to work.
I think the linters we use, mypy and ruff, are enough to be sure I didn't mistype or use incorrect method signatures. |
I don't think using sigstore-python for key generation is a good idea:
I would expect something like that to work as the key value in trustedroot.v1.json. I'm just looking for a test that verifies that we are feeding |
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@jku I added test case for the trusted_root that contains a the default tlog_key in rekor-tiles. |
Signed-off-by: Ramon Petgrave <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cheers, lgtm.
Testing changes are not really needed in changelog, but I don't mind: trimming the changelog down is easy when doing the release prep.
/gcbrun |
Clarifying: this is adding Ed25519 support at the trust layer, correct? Presumably we still need some API changes at the user sign/verify layers to support ephemeral Ed25519 keygen and signing. |
@woodruffw yes, we still hardcore using an EC key for signing. |
Client support for Rekor V2: sigstore-python
Summary
Resolves #1376, #1378
Adds support for ed25519 keys. In the
cryptography
library, is not yet any support for ed25519ph operations.Fixes the CI test for timestamp-authority to use the latest release, not the latest tag, since we could have new tags without associated release artifacts to download.
Release Note
sigstore/timestamp-authority
Documentation
None