mssun opened a new issue #135: What's the purpose of the `cert/mr_signer` file? URL: https://github.com/apache/incubator-mesatee/issues/135 I understand `mr_signer` means the SHA256 digest of the big endian format modulus of the RSA public key of the enclave's signing key. And I can config it as build configuration here: https://github.com/apache/incubator-mesatee/blob/9c6d1e40bf3d8a73f80b119138c3219ee713590d/build.toml#L7 `config_gen` will include it in bytes at compile time: ``` lazy_static! { pub static ref MESATEE_SECURITY_CONSTANTS: MesateeSecurityConstants = MesateeSecurityConstants { mr_signer: include_bytes!("/home/mssun/incubator-mesatee/cert/mr_signer"), root_ca_bin: include_bytes!("/home/mssun/incubator-mesatee/cert/ca.crt"), ias_report_ca: include_bytes!("/home/mssun/incubator-mesatee/cert/AttestationReportSigningCACert.pem"), client_cert: include_bytes!("/home/mssun/incubator-mesatee/cert/client.crt"), client_pkcs8_key: include_bytes!("/home/mssun/incubator-mesatee/cert/client.pkcs8"), audited_enclave_pubkey_a: include_bytes!("/home/mssun/incubator-mesatee/auditors/godzilla/godzilla.public.der"), audited_enclave_pubkey_b: include_bytes!("/home/mssun/incubator-mesatee/auditors/optimus_prime/optimus_prime.public.der"), audited_enclave_pubkey_c: include_bytes!("/home/mssun/incubator-mesatee/auditors/albus_dumbledore/albus_dumbledore.public.der"), max_msg_size: 0x64000, }; } ``` However, I didn't find any code use this constant value. From my understanding, the MRSIGNER value is written in the `enclave_info.txt` and will be loaded at runtime for verification instead of build time config: `mesatee_core/src/config/mod.rs`: ``` lazy_static! { pub static ref ENCLAVE_IDENTITIES: HashMap<String, (SgxMeasure, SgxMeasure)> = load_presigned_enclave_info(); } ``` The question is can we remove this file and do we need this as build time config?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
