Update SigningConfig to specify API version and validity periods #539
Conversation
In order to faciliate clients gracefully handling breaking API changes, the SigningConfig will now include API versions for each of the service URLs so that clients can determine what services they are compatible with. Additionally, we've included validity periods which will be used to faciliate Rekor log sharding, when we spin up new log shards and distribute new key material. Fixes sigstore#474 Signed-off-by: Hayden Blauzvern <[email protected]>
|
A few things to note:
|
haydentherapper
requested review from
loosebazooka,
woodruffw,
kommendorkapten and
jku
| // Clients must select only Service with the highest API version | ||
| // that the client is compatible with and that is within its | ||
| // validity period. Clients should select the first Service | ||
| // that meets this requirement. |
There was a problem hiding this comment.
If the sort order is the same as for TrustedRoot
protobuf-specs/protos/sigstore_trustroot.proto
Lines 108 to 109 in e943ce1
| // These URL **MUST** be the "base" URLs for the transparency logs, | ||
| // which clients should construct appropriate API endpoints on top of. | ||
| // | ||
| // Clients must select ALL Services with the highest API version |
There was a problem hiding this comment.
This seems like a big change, as clients don't currently upload entries to multiple logs at once, and may not always want to. Could this be changed to ANY?
| // that the client is compatible with and that is within its | ||
| // validity period. Clients should select the first Service | ||
| // that meets this requirement. | ||
| repeated Service certificate_authority_urls = 6; |
There was a problem hiding this comment.
I wish the new field names were more meaningfully different from the old names but I don't have a great suggestion.
| // MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json or | ||
| // application/vnd.dev.sigstore.signingconfig.v0.2+json |
There was a problem hiding this comment.
This seems a bit unclear: after this PR this message documents v0.2 only but that's not said anywhere. Do we allow v0.1 to be used in future as well?
Bundle uses this language:
// MUST be application/vnd.dev.sigstore.bundle.v0.3+json when encoded as JSON. // Clients must to be able to accept media type using the previously defined formats: // [list follows]
Of course situation here is a bit different: we should document
- what we expect the instance to serve
- I'd like to say "MUST serve v0.2" but obviously there's a migration period here
- what we expect clients to handle
- MUST handle v0.2, SHOULD handle v0.1
| string media_type = 5; | ||
|
|
||
| // Deprecated: Use certificate_authority_urls |
There was a problem hiding this comment.
Can you explain the way these deprecations are useful (compared to just removing the fields):
- if a service does not want to support the new fields, I would expect them to just keep serving signingconfig v0.1?
- if a client supports signingvonfig v0.2 then they need to support the new fields so won't need these
Maybe I'm missing a case?
There was a problem hiding this comment.
is the idea that clients have an easier time supporting v0.2 if they can just update version number and keep doing what they are doing now?
|
I guess one option to make the transition to new SigningConfig as easy as possible is to not replace the old one but just offer a new one:
This would be a way to avoid a flag day for SigningConfig |
pretty sure sigstore-python will not parse the new data without code changes since the signingconfig version number changes |
I'll have a better look at this again this week as I feel there is something to this idea -- we may be mistakenly combining the two problem cases (backwards incompatible service migration and plain log instance rotation), the right solutions to each might actually be different |
In order to faciliate clients gracefully handling breaking API changes, the SigningConfig will now include API versions for each of the service URLs so that clients can determine what services they are compatible with. Additionally, we've included validity periods which will be used to faciliate Rekor log sharding, when we spin up new log shards and distribute new key material.
Fixes #474
Summary
Release Note
Documentation