| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This is a tentative fix for #44: catch exceptions raised by requests if
it cannot connect to the log so that the witness can return the
expected exit codes.
|
|
|
|
|
| |
Also adds the first tests (using pytest) & a short paragraph to the
README on how to run them.
|
|
|
|
| |
Following API changes in log.
|
|
|
|
| |
Following changes in log API.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This is what ssh-keygen -Y sign does.
|
|
|
|
|
|
| |
Allow for 10s of clock drift too.
Bug reported by rgdd.
|
| |
|
|\ |
|
| | |
|
|/
|
|
|
|
|
|
| |
There's tools for key generation and conversion and there's tools for
signing and verifying a tree leaf. Note that the leaf signing tools
use the yet to be decided about SSH signing format, with message (ie
signers checksum) being hashed with SHA-512 to match SSH
tooling (ssh-keygen -Y).
|
| |
|
|
|
|
|
|
| |
NOTE: default config directory is now ~/.config/sigsum-witness/
Also, change default log endpoint to poc.sigsum.org.
|
| |
|
|
|
|
|
|
| |
Signed Tree Heads binary format now contains a hash of the log pubkey.
v0/add-cosignature takes cosignatures in 'cosignature='.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
NOTE: BREAKING COMPATIBILITY with old filenames
To keep a config working after applying this change, do
mv signed_tree_head signed-tree-head
mv signing_key signing-key
in the config directory.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Disallow time travel, tree shrinkage, new tree hash for same sized
tree, new tree size with same tree hash.
Consider an STH seen iff all three attributes -- timestamp, size,
hash -- are identical.
|
|
|
|
|
|
|
|
|
|
| |
We return !0 for critical errors that need human intervention.
Let's consider a stale log and a log with a bad clock an intermittent
and non critical error for now.
We might want to change requirements on logs to separate freshness
from clock skew. We should reconsider the severeness of those errors
if that change happens.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The rationale behind not allowing --bootstrap-log and
--generate-signing-key when they don't make any difference is that it
should be impossible to use them in scripts that run multiple times
since they're meant for manual "bootstrapping" procedures.
Another reason is that they require user intervention but not until
specific conditions arise (tree head missing, keyfile missing) which
may happen only "after some time". Failing early is helpful.
|
|
|
|
|
|
|
|
|
| |
Given the importance of sane entropy and other operational security
issues, it makes sense to require --generate-signing-key and user
intervention to generate signing keys.
For automated tests and deployment, a key can be pre-generated by
other means.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Also, create base_dir in time, if it doesn't exist.
Also also, set permission on base_dir when creating it.
|
|
|
|
|
| |
Since it's devastating to the value of the signature to not require a
consistency proof, make it less likely that it's done inadvertently.
|
|
|
|
|
|
| |
Also, make the code that is doing hex encoding in ASCII more readable
by splitting up hashing and signing on the one side and hex encoding
and converting bytes to ASCII on the other.
|
|
First stab, rough edges, unstable interfaces, will break things, you
don't want to use it.
|