From 39fa01fbd81d9b67ddb85002ac86d3a60bad8254 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Tue, 3 Feb 2026 10:24:03 +0000 Subject: [PATCH] Add docs and warning around the use of latest key version alias --- cmd/tesseract/gcp/README.md | 15 +++++++++++++++ cmd/tesseract/gcp/secret_manager.go | 7 ++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/cmd/tesseract/gcp/README.md b/cmd/tesseract/gcp/README.md index 43e4451d1..0a0faa145 100644 --- a/cmd/tesseract/gcp/README.md +++ b/cmd/tesseract/gcp/README.md @@ -12,6 +12,21 @@ You can find more information about TesseraCT in general in the [architecture design doc](/docs/architecture.md), and in TesseraCT's [configuration guide](../). +## Keys and Secret Manager + +Log private and public keys are stored as secrets in Secret Manager, and the full secret version resource +names passed to +`--signer_private_key_secret_name` and `--signer_public_key_secret_name` respectively. + +> [!WARNING] +> While the `latest` version alias is supported, unless you are sure you know what you are doing, we +> strongly recommend the use of specific version IDs instead. +> +> Using `latest` will cause the log's key to be updated without warning if a new secret version is +> created. Since CT for the WebPKI currently does not support log key rotation, other than through +> retiring log shards and bringing up new ones, automatic rotation of the log key, inadvertant or +> otherwise, will therefore almost certainly result in an unplanned outage. + ## Witnessing > [!WARNING] diff --git a/cmd/tesseract/gcp/secret_manager.go b/cmd/tesseract/gcp/secret_manager.go index daee8bbba..b5c2148e8 100644 --- a/cmd/tesseract/gcp/secret_manager.go +++ b/cmd/tesseract/gcp/secret_manager.go @@ -74,6 +74,10 @@ func NewSecretManagerSigner(ctx context.Context, publicKeySecretName, privateKey } }() + if strings.HasSuffix(privateKeySecretName, "/latest") { + klog.Warning("Secret version configured to use 'latest' alias; log key will change if a newer version is created.") + } + // Public Key var publicKey crypto.PublicKey pemBlock, err := secretPEM(ctx, client, publicKeySecretName) @@ -129,9 +133,6 @@ func secret(ctx context.Context, client *secretmanager.Client, secretName string if err != nil { return nil, fmt.Errorf("failed to access secret version: %w", err) } - if resp.Name != secretName { - return nil, errors.New("request corrupted in-transit") - } // Verify the data checksum. crc32c := crc32.MakeTable(crc32.Castagnoli) checksum := int64(crc32.Checksum(resp.Payload.Data, crc32c))