Implment details of adding rpm file as pluggable types

[TommyLike]

Question

Hey rekor team,
As I developer come from a distro community, I would like to raise several questions regarding the implement details of adding rpm file support.
First of all, the rekor entry of rpm file based on my understanding would be(by reading the related code rather than trying the demo):

{
  "publicKey": {
    "content": "openPGP public key content"
  },
  "package": {
    "headers": {
      "Name": "package name",
      "Epoch": "package epoch",
      "Version": "package version",
      "Release": "package release name",
      "Architecture": "package architecture",
      "RPMSIGTAG_MD5": "MD5 checksum of header and payload",
      "RPMSIGTAG_SHA1": "SHA1 checksum of header",
      "RPMSIGTAG_SHA256": "SHA256 checksum of header"
    },
    "content": "full content of a rpm package in bytes, empty in entry record, used as temporary attributes",
    "hash": {
      "algorithm": "sha256",
      "value": "sha256 content of the full rpm package"
    }
  }
}

So the following questions are below:

1. Why is the signature missing from the entry? Verifying the existence of the rekor entry identified by the package hash would be enough?
2. Why do we need to add the "RPMSIGTAG_MD5"/"RPMSIGTAG_SHA1"/"RPMSIGTAG_SHA256" to the entry? Also some of the signature header such as RSA/PGP are missing.
3. Adding support for uploading and verifying rpm package in the rekor-cli? Currently I can't find any related sub commands that can be used for this functionality.
4. What is the suggestion to integrate rekor and the rpm entry within the package manage system, is there any community/developer working on this?
5. What are the things to be done for fulling support rpm in rekor? As a open source developer I am willing to work on this.

[bobcallaway]

1. The signature is embedded inside the content field when uploaded to a Rekor instance. it is not extracted and stored as part of the entry, because you need the entire RPM to verify the signature (given how the signature is embedded into the RPM file).
2. We could probably do a better job of documenting this - but please note the readOnly and writeOnly tags in https://github.com/sigstore/rekor/blob/main/pkg/types/rpm/v0.0.1/rpm_v0_0_1_schema.json. fields tagged as writeOnly mean they should only be specified when creating a new log entry, and readOnly means they will only be in entries returned by Rekor. Given this information, a client is not responsible for parsing RPM headers - they're included as verified metadata in the entry.
3. Check out the --type flag - you can specify rpm as a value where --artifact points to the RPM file itself.
   For 4&5, I'd recommend engaging our #clients slack channel where they can give you more detail on the steps and potential integration points.

[TommyLike]

1. The signature is embedded inside the content field when uploaded to a Rekor instance. it is not extracted and stored as part of the entry, because you need the entire RPM to verify the signature (given how the signature is embedded into the RPM file).
2. We could probably do a better job of documenting this - but please note the readOnly and writeOnly tags in https://github.com/sigstore/rekor/blob/main/pkg/types/rpm/v0.0.1/rpm_v0_0_1_schema.json. fields tagged as writeOnly mean they should only be specified when creating a new log entry, and readOnly means they will only be in entries returned by Rekor. Given this information, a client is not responsible for parsing RPM headers - they're included as verified metadata in the entry.
3. Check out the --type flag - you can specify rpm as a value where --artifact points to the RPM file itself.
   For 4&5, I'd recommend engaging our #clients slack channel where they can give you more detail on the steps and potential integration points.

Thanks for your reply @bobcallaway, it's much clear for me now. Now I made some progress on the RPM type

1. the rekor-cli only work when the rpm package is in V3 format, which means any package signed with v4 format would fail
2. There is not any signature information but only the public key bound to the rekor entry, also I think the content is not filled with rpm package when uploading entry, here is the example:https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af4534196a2047d33228d5de8186b4fa0ea19433648d759e57bd1eb6748735692

{
    "apiVersion": "0.0.1",
    "kind": "rpm",
    "spec": {
        "package": {
            "hash": {
                "algorithm": "sha256",
                "value": "35f6b7ceecb3b66d41991358113ae019dbabbac21509afbe770c06d6999d75c7"
            },
            "headers": {
                "Architecture": "x86_64",
                "Epoch": "0",
                "Name": "389-ds-base",
                "RPMSIGTAG_MD5": "2d308276640cb0d9a9dab243a7286593",
                "Release": "6.el7",
                "Version": "1.3.10.2"
            }
        },
        "publicKey": {
            "content": "LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4c0ZOQkZPbi8wc0JFQURMRHlaK0RRSGtjVEhEUVNFMGEwQjJpWUFFWHdwUHZzNjdjSjR0bWhlL2lNT3lWTWg5Cll3L3ZCSUY4c2NtNlQvdlBONWZvcHNLaVc5VXNBaEdLZzBlcEM2eTVlZCtOQVVIVEVhNnBTT2RvN0N5RkR3dG4KNEhGNjFFc3liNGd6UFQ2UWlTcjB6dmRUdGdZQlJaakFFUEZWdTNEaW8wb1o1VVFaN2Z6ZFpmZWl4TVE4Vk1UUQo0eTR4NXZpazlCK2NxbUdpcTlBVzcxaXhsRFlWV2FzZ1IwOTNmWGlEOU5MVDREVHRLK0tMR1lOako4ZU1ScWZaCldzN2c3Qys5YUVHSGZzR1ovU3hMT3VteC9HZmlUbG9hbDBkbnE4VEM3WFEvSnVOZEI5cWpvWHpSRitmYURVc2oKV3V2TlNRRXFVWFcxZHpKakJ2cm9FdmdUZGZDSmZScElnT3JjMjU2cXZETXAxU3hjaE1GbHRQbG81bWJTTUt1MQp4MXA0VWtBeng1NDNtZU1sUlhPZ3gyL2huQm02SDZMMEZzU3lEUzZQMjI0eUYrMzBlZU9ERDRKdTRCQ3lRMGpPCklwVXhtVW5BcG8vbTBlUmVsSTZUUmw3aks2YUdxU1lVTmhGQnVGeFNQS2dLWUJwRmhWelJNNjNKc3ZpYjgyclkKNDM4cTNzSU9VZHhaWTZwdk1PV1JrZFVWb3o3V0JFeFRkeDVOdEdYNGtkVzVRdGNRSE0rMmtodDZzQm5Kc3ZjQgpKWWNZSXdBVWVBNXZkUmZ3TEt1Wm42U2dBVUtkZ2VPdHVmK2NQUjMvRTY4TFpyNzg0U2xva2lITHRRa2ZrOThqCk5YbTZmSmpYd0p2d2lNMklpRnlnOGFVd0VFRFg1VStRT0NBMHdZcmdVUS9oOGlhdGh2QkpLU2M5alFBUkFRQUIKelVKRFpXNTBUMU10TnlCTFpYa2dLRU5sYm5SUFV5QTNJRTltWm1samFXRnNJRk5wWjI1cGJtY2dTMlY1S1NBOApjMlZqZFhKcGRIbEFZMlZ1ZEc5ekxtOXlaejdDd1hVRUV3RUNBQjhGQWxPbi8wc0NHd01HQ3drSUJ3TUNCQlVDCkNBTURGZ0lCQWg0QkFoZUFBQW9KRUNUR3FLZjBxQTYxVE4wUC8yNzMwVGg4Y00rZDFwRU9ON24wRjFZaXl4cUcKUXp3cEMyRmhyMlVJc1hwaS9sV1RYSUc2QWxSdnJhampGaHc5SGt0WWpsRjRvTUcwMzJTbkkwWFBkbXJOMjlsTApGK2VlMUFOZHl2dGt3NG1NdTJ5UXdlVnhVN0t1NG9BVFBCdldSdis2cENRUFRPTWU1eFBHMFpQalBHTmlKMHh3CjROcytmNVE2R3FtOTI3b0hYcHlsVVFFbXVIS3NDcDNkSy9rWmF4Sk9Yc21xNnN5WTFnYnJMajJBbnEwaVdXUDQKVHE4V01rdFVyVGNjK3pRMnBGUjdvdkVpaEswUnZobWs2L040KzRKd0FHaWpmaGVqeHdOWDhUNlBDdVlzNUppdgpoUXZzSTlGZElJbFRQNFhoRlo0TjluZG5Fd0E0QUg3dE5Cc21CM0hFYkxxVVNtdTJScjhoR2lUMlBsYzRZOUFPCmFsaVcxa09Nc1pGWXJYMzlrcmZSazJuMk5YdmllUUovbHczMThnU0dSNjd1Y2trejJaZWtiQ0Vwai8wbW5IV0QKM1I2VjdtOTVSNlVZcWpjdysrUTVDdFoydHpteG9tWlRmNDJJR0lLQmJTVm1JUzc1V1krY0JVTFV4M1BjWllIRApacUFiQjBEbDRNYmRFSDYxa09JOEViTi9UTGwxaTA3N3IrOUxYUjFtT25sQzNHTEQwMytYZlk4ZUVCUWY3MTM3CllTTWlXNXIvNXh3UWs3eEVjS2xiWmRtVUpwM1pEVFFCWFQwNnZhdnZwM2psa3FxSDlRT0U4VmlaWjZhS1FMcXYKcEwrNGJzNTJqenVHd1RNVDdnT1I1TXpEK3ZUMGZWUzdYbThNak94dlpnYkhzQWd6eUZHbEkxZ2dVUW1VN2x1Mwp1UE5MMGVSeDRTMUc0Sm41Cj1HS1RnCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0="
        }
    }
}

so do you know why signature is missing from rekor entry or content? or it's just unnecessary because rpm has individual logic to verify signature and it's been done when uploading the rpm package within roker cli?

[bobcallaway]

1. This is a duplicate of go-rpm does not support newer signature tags #1569 I believe
2. Correct. The signature is embedded within the RPM, and requires parts of the RPM to verify - however there is no standard tooling that would do the verification independent of having the entire RPM to start with. This is why we put the hash value into the entry. it is assumed that the verifier has the RPM in question.

We have a general policy to not store content of artifacts in Rekor, as we are not trying to be a distributor of content nor assert any level of trustworthiness of what is in the log. The log simply acts as a record of signatures that have been seen.