From 2e3de086944c643ad9cd0563c9aac28e83ef7fd8 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 31 May 2023 11:08:30 -0400 Subject: [PATCH] sigstore: experimental ed25519 support Not working. Signed-off-by: William Woodruff --- sigstore/_cli.py | 10 +++++----- sigstore/_internal/rekor/client.py | 2 ++ sigstore/sign.py | 22 +++++++++------------- 3 files changed, 16 insertions(+), 18 deletions(-) diff --git a/sigstore/_cli.py b/sigstore/_cli.py index 5827ce4ce..4f3d6d2b8 100644 --- a/sigstore/_cli.py +++ b/sigstore/_cli.py @@ -663,11 +663,11 @@ def _sign(args: argparse.Namespace) -> None: for file, outputs in output_map.items(): logger.debug(f"signing for {file.name}") - with file.open(mode="rb", buffering=0) as io: - result = signer.sign( - input_=io, - identity=identity, - ) + input_ = file.read_bytes() + result = signer.sign( + input_=input_, + identity=identity, + ) print("Using ephemeral certificate:") print(result.cert_pem) diff --git a/sigstore/_internal/rekor/client.py b/sigstore/_internal/rekor/client.py index 8fab852a9..5d94c61f6 100644 --- a/sigstore/_internal/rekor/client.py +++ b/sigstore/_internal/rekor/client.py @@ -161,6 +161,8 @@ def post( }, } + logger.debug(f"submitting rekor payload: {data}") + resp: requests.Response = self.session.post(self.url, json=data) try: resp.raise_for_status() diff --git a/sigstore/sign.py b/sigstore/sign.py index 2e867bbc9..0f400877a 100644 --- a/sigstore/sign.py +++ b/sigstore/sign.py @@ -39,12 +39,11 @@ import base64 import logging -from typing import IO +from hashlib import sha256 import cryptography.x509 as x509 -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.hazmat.primitives.asymmetric.utils import Prehashed +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import ed25519 from cryptography.x509.oid import NameOID from pydantic import BaseModel from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import ( @@ -71,7 +70,7 @@ from sigstore._internal.rekor.client import RekorClient from sigstore._internal.sct import verify_sct from sigstore._internal.tuf import TrustUpdater -from sigstore._utils import B64Str, HexStr, PEMCert, sha256_streaming +from sigstore._utils import B64Str, HexStr, PEMCert from sigstore.oidc import IdentityToken from sigstore.transparency import LogEntry @@ -116,13 +115,11 @@ def staging(cls) -> Signer: def sign( self, - input_: IO[bytes], + input_: bytes, identity: IdentityToken, ) -> SigningResult: """Public API for signing blobs""" - input_digest = sha256_streaming(input_) - - private_key = ec.generate_private_key(ec.SECP384R1()) + private_key = ed25519.Ed25519PrivateKey.generate() logger.debug( f"Performing CSR: identity={identity.identity} " @@ -145,7 +142,7 @@ def sign( critical=True, ) ) - certificate_request = builder.sign(private_key, hashes.SHA256()) + certificate_request = builder.sign(private_key, None) certificate_response = self._fulcio.signing_cert.post( certificate_request, identity @@ -163,9 +160,7 @@ def sign( logger.debug("Successfully verified SCT...") # Sign artifact - artifact_signature = private_key.sign( - input_digest, ec.ECDSA(Prehashed(hashes.SHA256())) - ) + artifact_signature = private_key.sign(input_) b64_artifact_signature = B64Str(base64.b64encode(artifact_signature).decode()) # Prepare inputs @@ -174,6 +169,7 @@ def sign( ) # Create the transparency log entry + input_digest = sha256(input_).digest() entry = self._rekor.log.entries.post( b64_artifact_signature=B64Str(b64_artifact_signature), sha256_artifact_hash=input_digest.hex(),