Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gitsign verify fails erratically (~50% of the time) when verifying timestamp signatures #589

Open
ajh- opened this issue Nov 2, 2024 · 1 comment
Open

gitsign verify fails erratically (~50% of the time) when verifying timestamp signatures #589

ajh- opened this issue Nov 2, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ajh-
Copy link

ajh- commented Nov 2, 2024

Description

Using a private Sigstore setup in AWS, gitsign verify erratically fails to verify timestamp signatures with the error timestamp authority verification failed. It seems to happen about ~50% of the time with no consistent pattern.

For example, it could successfully verify 5 commits in a row, fail the next 3, succeed 1, fail 2, succeed 3, fail 4, etc. Removing timestamps from the signing and verification process results in 100% successful verifications (as expected).

When using cosign sign and cosign verify against the same private Sigstore infrastructure, timestamp verifications are 100% successful.

sigstore/timestamp-authority is deployed as the timestamp authority server in this setup and uses an AWS KMS key for signing requests.

Version
v0.10.2
@ajh- ajh- added the bug Something isn't working label Nov 2, 2024
@ajh-
Copy link
Author

ajh- commented Nov 4, 2024

After some additional troubleshooting, gitsign seems to throw an error when the certificate notBefore value is equal to the signingTime value:

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: <ABSENT>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
        cert_info: 
          version: 2
          serialNumber: ...
          signature: 
            algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
            parameter: <ABSENT>
          issuer: CN=sigstore-fulcio
          validity: 
            notBefore: Nov  4 15:40:57 2024 GMT
            notAfter: Nov  4 15:50:57 2024 GMT
            ...
    signer_info:
            ...
            object: signingTime (1.2.840.113549.1.9.5)
            value.set:
              UTCTIME:Nov  4 15:40:57 2024 GMT

When signingTime is later than the notBefore value, gitsign verifies the timestamp as expected:

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: <ABSENT>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
        cert_info: 
          version: 2
          serialNumber: ...
          signature: 
            algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
            parameter: <ABSENT>
          issuer: CN=sigstore-fulcio
          validity: 
            notBefore: Nov  4 15:40:57 2024 GMT
            notAfter: Nov  4 15:50:57 2024 GMT
            ...
    signer_info:
            ...
            object: signingTime (1.2.840.113549.1.9.5)
            value.set:
              UTCTIME:Nov  4 15:40:58 2024 GMT

Based on my experience, if the certificate and timestamp are generated within the same time-based second, gitsign verify fails with the error:

Error: failed to verify detached signature: x509: certificate has expired or is not yet valid: timestamp authority verification failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ajh-