Key management improvement #936
Conversation
There was a problem hiding this comment.
I left some specific comments in code. The main feedback is that these items from william are the core ones:
- SigningContext and Verifier should probably take a TrustedRoot directly.
- RekorClient should have no key material within it at all.
Just to add to those:
- SigningContext and Verifier could still have staging() and production() helpers to make things easier for API users but the normal constructor call should look something like
Verifier(rekor_client, trusted_root) - CLI should create the TrustedRoot, and pass it to Verifier and SigningContext
- the CLI legacy args could be supported by "modifying" the TrustedRoot based on those args
- Verifier and SigningContext know that their purposes are verifying and signing: this does not need to be an argument in any of their public methods
- RekorClient should not need a trust root or a purpose
It's a long list of things but I think when we manage that , the code is hopefully significantly easier to understand.
|
I did not address the actual key choices in different situations... It's friday afternoon and I'm pretty sure I'll get it wrong. If you can document in a comment which keys are used in which situations in your PR that would probably be useful. The basic idea with KeyringPurpose seems good. |
|
Thanks @javanlacerda! I agree with @jku's feedback, and I'll add some of my own in a bit as well. For deconflicting: this will probably interact a bit with #937. In particular, that changeset may end up removing |
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
from
261457c to
397e166
Compare
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
from
0b1cb47 to
21eb980
Compare
|
@javanlacerda JFYI: it's easier to review the diffs here if you don't force-push each time -- it's okay to have a messy commit history while the PR is in progress, since we can squash or amend it before merge 🙂 |
I apologize!! I had to do that as I forgot to sign one of the commits in the middle 😞 |
No worries! I personally do |
|
/gcbrun |
|
This is looking pretty good to me, modulo the design question about the CLI flags. That boils down to whether we want to remove the CLI flags outright (fine by me, personally), or whether we want to keep them around for a bit and internally convert them into a I personally lean towards the former: we've been wanting to get rid of them for a while, and doing so will make future improvements much more straightforward. If @jku agrees, I think we can just go ahead and delete all of that 🙂 |
woodruffw
added
component:signing
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
from
9c63913 to
ee94ba2
Compare
There was a problem hiding this comment.
Looks really nice, this seems like the right direction. As for CLI arguments: I think I'm fine with removing them -- we could ping the slack channel with the specific list of arguments we intend to remove to see if anyone complains...
Are we going to lose testing coverage if the arguments are removed? probably not?
I might not have time this week to do proper testing/review but I left some minor comments, generally this looks good. I would really love more "description of changes" (as a simple example, if you move a bunch of code from one file to another, maybe mention if it's a direct copy or somehow modified).
sigstore/_internal/trustroot.py
Outdated
| trusted_root = cls.from_file(path) | ||
| trusted_root.args = args | ||
| trusted_root.purpose = purpose | ||
| return trusted_root |
There was a problem hiding this comment.
| trusted_root = cls.from_file(path) | |
| trusted_root.args = args | |
| trusted_root.purpose = purpose | |
| return trusted_root | |
| return cls.from_file(path, args, purpose) |
same suggestion applies to all other helper constructors
sigstore/_internal/trustroot.py
Outdated
| def rekor_keyring(self) -> RekorKeyring: | ||
| """Return public key contents given certificate authorities.""" | ||
|
|
||
| return RekorKeyring(self._get_rekor_keys()) |
There was a problem hiding this comment.
I believe you can just remove this wrapper method, and change
_get_rekor_keys(self) -> Keyring
into
rekor_keyring(self) -> RekorKeyring
right?
There was a problem hiding this comment.
it makes sense
sigstore/_internal/rekor/client.py
Outdated
| rekor_keyring=trust_root.rekor_keyring(), | ||
| ct_keyring=trust_root.ct_keyring(), | ||
| ) |
There was a problem hiding this comment.
I was kind of expecting RekorClient to not need at least one of these (that the users of these keyrings actually have access to a proper keyring and should be using these)... but maybe that's fine to leave for future PR?
There was a problem hiding this comment.
I just removed any trustedroot and keyring dependency from rekor client :)
Awesome! I will start making more comments about decisions. Do you guys think we should create a different issue/PR for removing the flags? cc @jku @woodruffw |
I believe not -- we basically don't hit the
I'm okay with either way. If we do it in a separate PR, we should merge that one first to ensure we don't have to adapt these changes too much. But if you find it easier to just update this one, I don't mind a larger diff here 🙂 |
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
2 times, most recently
from
4014282 to
28bd775
Compare
|
I did these forced push because I just removed a remaining |
There was a problem hiding this comment.
I think this file also needs deletions for the CLI flags themselves: the _parser() function needs to be updated to remove each of the arg definitions that have had their usages removed below.
javanlacerda
changed the title
|
/gcbrun |
|
Thanks @javanlacerda, this is looking pretty good! I'm going to give these changes a spin locally and do a final review afterwards, with the goal of merging today. (Mind updating the branch again?) |
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
from
e6f3e9c to
8d39dff
Compare
Done! :) |
|
/gcbrun |
refactors and adding trusted_root to Verifier and SigningContext move purpose from rekor client to trusted_root Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Co-authored-by: William Woodruff <[email protected]> Signed-off-by: Javan Lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
javanlacerda
force-pushed
the
javan.ref.internal_key_management_improvement
branch
from
8d39dff to
ea26820
Compare
|
please leave comments about changes (especially when force pushing): even a "rebase, no code changes" is useful. /gcbrun |
There was a problem hiding this comment.
LGTM and didn't observe any breakage in local testing. Thanks @javanlacerda!
Closes #927
It makes a refactor on code for a better key management. It makes the trusted root fully responsible by the key management, concentrating the responsibilities there.
It also removes the unused flags from the CLI. These properties are already provided by the trusted root.
Removed flags:
--certificate-chain--rekor-root-pubkey-ctfeSummary
It is a refactor to make the code cleaner and cohesive.
Release Note
Documentation
cc @woodruffw @jku