Skip to content

Add tink package #2024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 11, 2025
Merged

Add tink package #2024

merged 1 commit into from
Mar 11, 2025

Conversation

cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Mar 11, 2025

Copy in the tink package from Rekor v1 so that it can be used by other services.

Relates to sigstore/rekor-tiles#9

Summary

Release Note

Documentation

@cmurphy cmurphy requested review from a team as code owners March 11, 2025 16:13
@cmurphy
Add tink package
a6137a5 
Copy in the tink package from Rekor v1 so that it can be used by other
services.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@cmurphy cmurphy requested a review from haydentherapper March 11, 2025 16:24
haydentherapper
haydentherapper reviewed Mar 11, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we copy in the code for GetPrimaryKey which initializes a Tink decrypter given a KMS key, and NewTinkSigner to decrypt a keyset given a key? https://github.com/sigstore/timestamp-authority/blob/1abfce06d86c2e78094ec537ddebc92c4f9a051b/pkg/signer/tink.go#L53-L100 (and tests)

There's a bit of deviation between NewTinkSigner across Fulcio, Rekor and the TSA. The TSA implementation looks to be the most up to date.

@cmurphy
Copy link
Contributor Author

cmurphy commented Mar 11, 2025

Should we copy in the code for GetPrimaryKey which initializes a Tink decrypter given a KMS key, and NewTinkSigner to decrypt a keyset given a key?

This isn't ideal for what we're trying to use it for in rekor, NewTinkSigner returns a crypto.Signer when what we need is a sigstore/sigstore/pkg/signature.Signer

haydentherapper
haydentherapper approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I guess GetPrimaryKey is also overkill since we only support GCP currently.

@haydentherapper haydentherapper merged commit c049f8d into sigstore:main Mar 11, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cmurphy @haydentherapper