Skip to content

Transparency client - allow the use of offline keys for the transparent statement verification #54259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Transparency client - allow the use of offline keys for the transparent statement verification #54259

wants to merge 15 commits into from
+632 −48

Conversation

@ivarprudnikov
Copy link
Member

@ivarprudnikov ivarprudnikov commented Dec 2, 2025
edited
Loading

Updates to verification

  • Allow clients to pass JSON { "domain.name": { "JWKS" } } to enable offline verification of transparent statements, this is to improve potential issues with latency when verifying statements on a scale in Confidential Signing Service
  • Allow clients to determine if network fallback is allowed if the public key domain is not to be found in the provided JSON

Contributing to the Azure SDK

Please see our CONTRIBUTING.md if you are not familiar with contributing to this repository or have questions.

For specific information about pull request etiquette and best practices, see this section.

@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

Azure.Security.CodeTransparency

@ivarprudnikov ivarprudnikov marked this pull request as ready for review December 2, 2025 16:40
Copilot AI review requested due to automatic review settings December 2, 2025 16:40
Copilot finished reviewing on behalf of ivarprudnikov December 2, 2025 16:45
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces support for offline verification of transparent statements by allowing clients to provide pre-configured JWKS (JSON Web Key Set) documents mapped by ledger domain. This feature is designed to improve latency and reliability when verifying statements at scale in the Confidential Signing Service.

Key changes:

  • Added CodeTransparencyOfflineKeys class to store domain-to-JWKS mappings for offline verification
  • Extended CodeTransparencyVerificationOptions with OfflineKeys property and OfflineKeysBehavior enum to control network fallback behavior
  • Modified verification logic in CodeTransparencyClient to prioritize offline keys before falling back to network retrieval

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
CodeTransparencyOfflineKeys.cs New class providing a case-insensitive dictionary to map ledger domains to JWKS documents for offline verification
CodeTransparencyVerificationOptions.cs Added properties for offline keys configuration and behavior control, plus new enum for fallback behavior
CodeTransparencyClient.cs Integrated offline key lookup logic with optional network fallback in the verification flow
CodeTransparencyClientUnitTests.cs Added three new tests covering offline verification scenarios (pure offline, with fallback, and failure without fallback)
Azure.Security.CodeTransparency.netstandard2.0.cs Updated public API surface to expose new types and properties
Azure.Security.CodeTransparency.net8.0.cs Updated public API surface to expose new types and properties
CodeTransparencyClientOptions.cs Minor whitespace formatting improvement

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

ivarprudnikov and others added 4 commits December 2, 2025 16:56
@ivarprudnikov
use using when parsing JsonDocument
7993183 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ivarprudnikov
update test comment
af9a803 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ivarprudnikov
copilot suggestions
7443b7d
@ivarprudnikov
add test coverage for CodeTransparencyOfflineKeys
333f69d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@PallabPaul PallabPaul PallabPaul approved these changes

@andpiccione andpiccione andpiccione approved these changes

@christothes christothes Awaiting requested review from christothes christothes is a code owner

+1 more reviewer

@achamayou achamayou achamayou approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Confidential Ledger

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ivarprudnikov @achamayou @PallabPaul @andpiccione