Skip to content

Drop DSSE support#744

Draft
Hayden-IO wants to merge 1 commit into
sigstore:mainfrom
Hayden-IO:drop-dsse
Draft

Drop DSSE support#744
Hayden-IO wants to merge 1 commit into
sigstore:mainfrom
Hayden-IO:drop-dsse

Conversation

@Hayden-IO
Copy link
Copy Markdown
Contributor

@Hayden-IO Hayden-IO commented Apr 3, 2026

We have found that DSSE requests can be quite large with comprehensive SBOMs, and these requests have become a source for server crashes in Rekor v1. Before Rekor v2 is widely deployed, we will drop support for DSSE requests, instead requiring clients to provide the DSSE PAE hash and signature extracted from the envelope.

We are not removing the protos to avoid any downstream breaking changes.

Summary

Release Note

Documentation

@Hayden-IO
Drop DSSE support
cd29567 
We have found that DSSE requests can be quite large with comprehensive
SBOMs, and these requests have become a source for server crashes in
Rekor v1. Before Rekor v2 is widely deployed, we will drop support for
DSSE requests, instead requiring clients to provide the DSSE PAE hash
and signature extracted from the envelope.

We are not removing the protos to avoid any downstream breaking changes.

Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 3, 2026

Codecov Report

❌ Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 27.29%. Comparing base (be283a2) to head (cd29567).

Files with missing lines Patch % Lines
internal/server/service.go 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #744      +/-   ##
==========================================
- Coverage   30.05%   27.29%   -2.77%     
==========================================
  Files          62       61       -1     
  Lines        3327     3158     -169     
==========================================
- Hits         1000      862     -138     
+ Misses       2216     2200      -16     
+ Partials      111       96      -15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Hayden-IO Hayden-IO requested a review from loosebazooka April 9, 2026 22:22
@Hayden-IO Hayden-IO marked this pull request as ready for review April 9, 2026 22:22
@Hayden-IO Hayden-IO requested review from a team as code owners April 9, 2026 22:22
jku
jku approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks correct to me

loosebazooka
loosebazooka reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine to me

Comment thread internal/server/metrics.go

m.newHashedRekordEntries = f.NewCounter(prometheus.CounterOpts{
Name: "rekor_v2_new_hashedrekord_entries",
Help: "The total number of new dsse log entries",
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh oops, that must look weird in our logs.

Comment thread pkg/client/write/write.go
}

// Add uploads a hashedrekord or DSSE log entry and returns the TransparencyLogEntry proving the entry's inclusion in the log.
// Add uploads a hashedrekord log entry and returns the TransparencyLogEntry proving the entry's inclusion in the log.
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little curious how this is called. Should we leave this func signature generic to allow for some future flexibility, or should we try to change

- func (w *writeClient) Add(ctx context.Context, entry any) (*pbs.TransparencyLogEntry, error) {
+ func (w *writeClient) Add(ctx context.Context, entry pb.HashedRekorRequestV002) (*pbs.TransparencyLogEntry, error) {

Copy link
Copy Markdown
Contributor

@cmurphy cmurphy Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably leave it generic, we're likely to add new ones

@loosebazooka
Copy link
Copy Markdown
Member

loosebazooka commented Apr 14, 2026

remember to resync the protobuf-specs import of these proto defs

cmurphy
cmurphy reviewed Apr 16, 2026
View reviewed changes
Comment thread internal/server/service.go
return nil, status.Errorf(codes.InvalidArgument, "invalid dsse request")
}
metricsCounter = getMetrics().newDsseEntries
_ = grpc.SetHeader(ctx, metadata.Pairs(httpStatusCodeHeader, "405"))
Copy link
Copy Markdown
Contributor

@cmurphy cmurphy Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is 405 the best code for this? The method and the endpoint are valid, it's just an unsupported type. What about reusing codes.InvalidArgument for this, as below?

@Hayden-IO Hayden-IO marked this pull request as draft April 16, 2026 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmurphy cmurphy cmurphy left review comments

@jku jku jku approved these changes

@loosebazooka loosebazooka loosebazooka approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Hayden-IO @loosebazooka @jku @cmurphy