New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: Add test that verifies using current issuer certificates #922

Open

jku opened this issue Mar 6, 2024 · 0 comments

Labels

enhancement good first issue

Member

jku commented Mar 6, 2024 •

edited

Loading

During #910 development the test suite was passing but a simply running this failed with InvalidSCTKeyError:

sigstore sign README.md
sigstore verify identity --cert-identity $ID --cert-oidc-issuer $ISSUER README.md

The reasons for this seem to be:

SCT verification code made assumptions about the order of certificates in the issuer "chain"
At some point in time "chain" actually was in that assumed order
all of the current test data was generated during that time
current "issuer chain" looks different

So the problem is that right now we have no test that actually asserts that our SCT verification works on current sigstore trust root. We should add

A new asset test/unit/assets/new_bundle.txt (like the other txts, just a text file)
A new good signature bundle in test/unit/assets/new_bundle.txt.sigstore (the bundle is the result of running sigstore sign new_bundle.txt
a test that asserts that the new bundle verifies correctly (copying test_verifier_offline() probably works fine)

Note that if you create this new bundle, it will contain the email address that you used to authenticate with.

The text was updated successfully, but these errors were encountered:

jku added enhancement good first issue labels

jku mentioned this issue

Adding sct verification for certificates on verify flow #910

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment