fix(cert-pinning): chain-match semantics + fresh rekor leaf pin (synth#306)#147
Open
avrabe wants to merge 1 commit into
Open
fix(cert-pinning): chain-match semantics + fresh rekor leaf pin (synth#306)#147avrabe wants to merge 1 commit into
avrabe wants to merge 1 commit into
Conversation
…urring Signing E2E breakage (synth#306) rekor.sigstore.dev rotated its TLS leaf (again — Fulcio had the identical incident on 2026-05-19, #117): every synth Signing E2E run has been red with "Certificate pin mismatch for rekor.sigstore.dev: got 710dd397e55ca148...". The structural defect: verify_server_cert REQUIRED the leaf to match a pin and only logged intermediate matches informationally — inverted HPKP semantics. The Google Trust Services WR3 intermediate pin (valid to 2029) was present and correct the whole time; chain-matching would have survived both rotations. - verify_server_cert now passes if the leaf OR any intermediate in the presented chain matches a configured pin (HPKP/RFC 7469 semantics). WebPKI validation in step 1 already proves the chain is coherent and anchored, so a pinned intermediate vouches for the leaf it issued. An intermediate-only match logs a refresh-the-leaf-pin hint. - REKOR_PRODUCTION_PINS: added the rotated leaf SPKI 710dd397e55ca148baf8e0e69e54ef763fea611a91f11573dc6d3a2a7110187e (verified via direct openssl s_client fetch: issuer GTS WR3, notAfter 2026-09-02); previous leaf kept for transition/rollback. With chain-match, the ~90-day GTS leaf rotations stop breaking CI until the WR3 intermediate itself rotates (2029) — and that event is the one worth a red gate. 12/12 cert_pinning tests pass, clippy clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jun 10, 2026
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
rekor.sigstore.dev rotated its TLS leaf — every synth Signing E2E run is red with
Certificate pin mismatch ... got 710dd397e55ca148.... Same incident class as #117 (Fulcio, 2026-05-19); it will recur every ~90 days until the matching semantics change.Structural fix:
verify_server_certrequired the leaf to match and only logged intermediate matches — inverted HPKP semantics. The GTS WR3 intermediate pin (valid to 2029) was present and correct the whole time. Now: pass if the leaf or any intermediate in the presented chain matches (RFC 7469); WebPKI step 1 already anchors the chain, so a pinned intermediate vouches for its leaf. Intermediate-only match logs a refresh hint.Plus: fresh rekor leaf pin (verified
openssl s_client: issuer GTS WR3, notAfter 2026-09-02), previous leaf kept for rollback.After merge: cut a wsc release so synth can bump its pinned binary (synth's workflow pins wsc v0.9.0 by sha256 — that bump closes synth#306's signing half).
12/12 cert_pinning tests, clippy clean.
🤖 Generated with Claude Code