Skip to content

Verify validity of chain rather than just certificate#4663

Merged
Hayden-IO merged 1 commit into
mainfrom
sig-fix
Jan 23, 2026
Merged

Verify validity of chain rather than just certificate#4663
Hayden-IO merged 1 commit into
mainfrom
sig-fix

Conversation

@Hayden-IO

Copy link
Copy Markdown
Contributor

There was an assumption that a certificate would be issued during the validity period of all certificates in its chain. If a certificate was issued such that its NotAfter timestamp was past the NotAfter of another certificate in the chain, that would have not been detected. This is because during verification, we use the leaf certificate's NotBefore timestamp to verify the chain's validity, but check only the leaf certificate's validity against any provided timestamps (either from the Rekor timestamp, a signed timestamp, or the current time).

This scenario is not expected with a typical chain since a CA shouldn't issue a certificate that outlives an issuer.

This change enforces that the entire chain is valid at any of those provided timestamps.

Summary

Release Note

Documentation

There was an assumption that a certificate would be issued during the
validity period of all certificates in its chain. If a certificate was
issued such that its NotAfter timestamp was past the NotAfter of another
certificate in the chain, that would have not been detected. This is
because during verification, we use the leaf certificate's NotBefore
timestamp to verify the chain's validity, but check only the leaf
certificate's validity against any provided timestamps (either from the
Rekor timestamp, a signed timestamp, or the current time).

This scenario is not expected with a typical chain since a CA shouldn't
issue a certificate that outlives an issuer.

This change enforces that the entire chain is valid at any of those
provided timestamps.

Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
@Hayden-IO
Hayden-IO requested a review from a team as a code owner January 23, 2026 19:29
@Hayden-IO
Hayden-IO requested a review from bobcallaway January 23, 2026 19:29
@Hayden-IO
Hayden-IO enabled auto-merge (squash) January 23, 2026 19:29

@steiza steiza left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oof. Nice work. We really need to move everything over to sigstore-go.

@Hayden-IO
Hayden-IO merged commit 3c9a736 into main Jan 23, 2026
28 checks passed
@Hayden-IO
Hayden-IO deleted the sig-fix branch January 23, 2026 20:54
@Hayden-IO

Copy link
Copy Markdown
Contributor Author

Yep, very much agreed. I verified this doesn't affect sigstore-go because of a more reasonable ordering - gather your timestamps, then verify the chain against those timestamps.

piceri pushed a commit to piceri/cosign that referenced this pull request Jan 29, 2026
There was an assumption that a certificate would be issued during the
validity period of all certificates in its chain. If a certificate was
issued such that its NotAfter timestamp was past the NotAfter of another
certificate in the chain, that would have not been detected. This is
because during verification, we use the leaf certificate's NotBefore
timestamp to verify the chain's validity, but check only the leaf
certificate's validity against any provided timestamps (either from the
Rekor timestamp, a signed timestamp, or the current time).

This scenario is not expected with a typical chain since a CA shouldn't
issue a certificate that outlives an issuer.

This change enforces that the entire chain is valid at any of those
provided timestamps.

Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants