finish off sprint advisories and sprints

2026-01-24 00:12:43 +02:00
parent 726d70dc7f
commit c70e83719e
266 changed files with 46699 additions and 1328 deletions
--- a/src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs
+++ b/src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs
@@ -140,6 +140,9 @@ internal sealed class HttpRekorClient : IRekorClient
                            DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal,
                            out var dto)
                        ? dto
+                        : null,
+                    SignedNote = checkpointElement.TryGetProperty("signedNote", out var signedNote) ? signedNote.GetString()
+                        : checkpointElement.TryGetProperty("note", out var note) ? note.GetString()
                        : null
                }
                : null,
@@ -278,15 +281,58 @@ internal sealed class HttpRekorClient : IRekorClient
                "Successfully verified Rekor inclusion for UUID {Uuid} at index {Index}",
                rekorUuid, logIndex);

-            _logger.LogDebug(
-                "Checkpoint signature verification is unavailable for UUID {Uuid}; treating checkpoint as unverified",
-                rekorUuid);
+            // Verify checkpoint signature if public key is available
+            var checkpointSignatureValid = false;
+            if (backend.PublicKey is { Length: > 0 } publicKey &&
+                !string.IsNullOrEmpty(proof.Checkpoint.SignedNote))
+            {
+                try
+                {
+                    var checkpointResult = CheckpointSignatureVerifier.VerifySignedCheckpointNote(
+                        proof.Checkpoint.SignedNote,
+                        publicKey);
+
+                    checkpointSignatureValid = checkpointResult.Verified;
+
+                    if (checkpointSignatureValid)
+                    {
+                        _logger.LogDebug(
+                            "Checkpoint signature verified successfully for UUID {Uuid}",
+                            rekorUuid);
+                    }
+                    else
+                    {
+                        _logger.LogWarning(
+                            "Checkpoint signature verification failed for UUID {Uuid}: {Reason}",
+                            rekorUuid,
+                            checkpointResult.FailureReason ?? "unknown");
+                    }
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(ex,
+                        "Checkpoint signature verification error for UUID {Uuid}",
+                        rekorUuid);
+                }
+            }
+            else if (backend.PublicKey is null or { Length: 0 })
+            {
+                _logger.LogDebug(
+                    "No Rekor public key configured; checkpoint signature not verified for UUID {Uuid}",
+                    rekorUuid);
+            }
+            else
+            {
+                _logger.LogDebug(
+                    "No signed checkpoint note available for UUID {Uuid}; signature not verified",
+                    rekorUuid);
+            }

            return RekorInclusionVerificationResult.Success(
                logIndex.Value,
                computedRootHex,
                proof.Checkpoint.RootHash,
-                checkpointSignatureValid: false);
+                checkpointSignatureValid);
        }
        catch (Exception ex) when (ex is FormatException or ArgumentException)
        {