Skip to content

Copy witness policy file format code from Tessera #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Hayden-IO wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Copy witness policy file format code from Tessera #229

Hayden-IO wants to merge 18 commits into from

Conversation

@Hayden-IO
Copy link

@Hayden-IO Hayden-IO commented Jan 14, 2026

This moves the witness code, which implements https://c2sp.org/tlog-witness and https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md (with a slight variation of key format) to this low-dependency repo. Moving this out of the Tessera codebase lets verifiers verify witness cosigntures on checkpoints without also depending on Tessera, only needing transparency-dev/formats and transparency-dev/merkle.

I preserved the git history with git-filter-repo. When merging, this should be either merged or rebased onto main to preserve the history. Also note the license remains unchanged.

mhutchinson and others added 17 commits February 18, 2025 17:05
@mhutchinson
Defined witness policy configuration (#488)
d9ecc24 
This allows the required witnesses to be defined and the theshold
policies that apply within each group. Arbitrarily nested structures can
be built, each with different numbers of signatures.

Each WitnessGroup provides the URLs at which the witness can be reached
to perform witnessing, and a function that determines if the group is
satisfied.

This format is consistent with the only other known witness policy
configuration format out there:
https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md

Towards #309.
@mhutchinson
Implementing witnessing code and API (#494)
6db446f 
Towards #309.
@mhutchinson
[Witnessing] Check responses for valid signatures (#500)
788f9b4 
This now verifies the body of 200 responses. It checks that the note can
be verified using the signature, and then returns only the signature
that the log has a verifier for.

This means that witnesses that return a valid signature and then a load
of other signatures will not be able to pollute the checkpoint with
these other signatures. On the other hand, it means we will need to
consider how to support witness key rotation in Tessera in the future.
There are a few ways to solve this, but I don't believe this approach
blocks any of them.
@roger2hk
Replace m[k]=v loop with maps.Copy (#533)
77402a5
@mhutchinson
Remove unused things from API (#536)
464aac3 
Duplicate docs instead of linking to private docs
@mhutchinson
Slight API pruning and modernization (#609)
00c9d24 
A few bits to clean up as we approach a beta release:

 - Pruned utility method from API
 - Renamed IntegrationAwaiter to PublicationAwaiter
 - Modernized some older go idioms
@roger2hk
Replace all Url with URL (#636)
500c208
@AlCutter
Follow rename to Tessera #645
e0e473e
@AlCutter
Witness policy (#755)
af1bef3 
This PR adds support for constructing a graph of WitnessGroup/Witness structs which represent the policy defined in a config file complying with the spec here: https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md
@AlCutter
Witness submission prefix is a config item. (#756)
b1e0559
@AlCutter
Fix some witness related nits (#757)
792f075
@AlCutter
Read witness policy from []byte (#758)
fd0aa91
@AlCutter
Check policy handles whitespace and comments ok (#788)
e9403c9
@AlCutter
Bump formats to 404c0d5 (#791)
9294f4c 
* Bump formats to 404c0d5 & tidy
* Add 0x04 key to policy tests
@AlCutter
Clarify witness notes (#827)
a7891d3 
Makes it easier to find the option to configure witnesses using a policy file, and clarifies that it expects vkey cosig keys for witnesses.
@Hayden-IO
Merge remote-tracking branch 'tessera/main' into move-witness-code
4a93de2
@Hayden-IO
Move to dedicated package
1c29105 
Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
@Hayden-IO Hayden-IO requested a review from a team as a code owner January 14, 2026 21:08
@Hayden-IO Hayden-IO requested a review from roger2hk January 14, 2026 21:08
@codecov-commenter
Copy link

codecov-commenter commented Jan 14, 2026

Codecov Report

❌ Patch coverage is 72.72727% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.80%. Comparing base (fa00c16) to head (1c29105).
⚠️ Report is 141 commits behind head on main.

Files with missing lines Patch % Lines
witness/witness.go 72.72% 19 Missing and 14 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #229      +/-   ##
==========================================
- Coverage   82.57%   73.80%   -8.78%     
==========================================
  Files           5        7       +2     
  Lines         241      500     +259     
==========================================
+ Hits          199      369     +170     
- Misses         30       74      +44     
- Partials       12       57      +45

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Hayden-IO Hayden-IO mentioned this pull request Jan 14, 2026
Draft
@AlCutter AlCutter changed the title Move witness code from Tessera Copy witness policy file format code from Tessera Jan 23, 2026
AlCutter
AlCutter reviewed Jan 23, 2026
View reviewed changes
Copy link
Collaborator

@AlCutter AlCutter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's an opportunity to improve naming on a couple of things taking advantage of the new witness package name:

  • witness.NewWitness --> witness.New
  • witness.WitnessGroup --> witness.Group
  • witness.NewWitnessGroup --> witness.NewGroup
  • witness.NewWitnessGroupFromPolicy --> witness.ParsePolicy

Perhaps the ones in tessera can then become deprecated type aliases for these until v2.0.0.

@Hayden-IO @mhutchinson @roger2hk thoughts?

@roger2hk
Copy link
Contributor

roger2hk commented Jan 23, 2026

I think there's an opportunity to improve naming on a couple of things taking advantage of the new witness package name:

  • witness.NewWitness --> witness.New
  • witness.WitnessGroup --> witness.Group
  • witness.NewWitnessGroup --> witness.NewGroup
  • witness.NewWitnessGroupFromPolicy --> witness.ParsePolicy

Perhaps the ones in tessera can then become deprecated type aliases for these until v2.0.0.

@Hayden-IO @mhutchinson @roger2hk thoughts?

This is a good suggestion. The naming aligns with the Go Style Best Practice. Type aliases provide a path to deprecation in Tessera v2.

https://google.github.io/styleguide/go/best-practices#avoid-repetition

@Hayden-IO
Update function and struct names to align with style guide
b1c92b7 
Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
@Hayden-IO
Copy link
Author

Hayden-IO commented Jan 23, 2026

Agreed! I've updated the names.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlCutter AlCutter AlCutter left review comments

@roger2hk roger2hk Awaiting requested review from roger2hk roger2hk is a code owner automatically assigned from transparency-dev/core-team

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Hayden-IO @codecov-commenter @roger2hk @AlCutter @mhutchinson