Verification crashes for v0.1 bundles missing checkpoints

[woodruffw]

Description

I observed this behavior while trying to cross-check sigstore-python's handling of v0.1 bundles with other clients.

Reproduction steps:

wget https://www.python.org/ftp/python/3.12.5/Python-3.12.5.tgz
wget https://www.python.org/ftp/python/3.12.5/Python-3.12.5.tgz.sigstore
sigstore-go -artifact Python-3.12.5.tgz -expectedSAN '[email protected]' Python-3.12.5.tgz.sigstore 

Running that fails with:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x30 pc=0x10293ec40]

goroutine 1 [running]:
github.com/sigstore/sigstore-go/pkg/tlog.ParseEntry(0x140003c8f50)
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/pkg/tlog/entry.go:132 +0x500
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).TlogEntries(0x140003d4860)
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/pkg/bundle/bundle.go:252 +0xb0
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).validate(0x140003d4860)
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/pkg/bundle/bundle.go:84 +0x100
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).UnmarshalJSON(0x140003d4860, {0x14000389500, 0x14ad, 0x14ae})
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/pkg/bundle/bundle.go:189 +0xa4
github.com/sigstore/sigstore-go/pkg/bundle.LoadJSONFromPath({0x16d997928, 0x33})
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/pkg/bundle/bundle.go:170 +0x8c
main.run()
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/cmd/sigstore-go/main.go:94 +0x58
main.main()
	/Users/william/go/pkg/mod/github.com/sigstore/[email protected]/cmd/sigstore-go/main.go:87 +0x1c

From a quick triage, that looks like it fails on this swag.String ctor:

sigstore-go/pkg/tlog/entry.go

Line 132 in 004c425

Checkpoint: swag.String(protoEntry.InclusionProof.Checkpoint.Envelope),

...which I suspect fails because InclusionProof.Checkpoint is completely missing from the bundle, which gets silently ignored during unpacking because protobuf is very malleable about missing items.

Version

I tested this with go install github.com/sigstore/sigstore-go/cmd/sigstore-go@latest, which I believe should be installing the latest tag (v0.5.1).

Additional context

This is arguably a knock-on bug: the Sigstore bundle in question was generated by sigstore-python in the 1.x series, which didn't include the checkpoint field in its bundles (since it wasn't clear from the v0.1 bundle spec that it was required).

I'm tracking the associated behavior in sigstore-python here: sigstore/sigstore-python#1088

[woodruffw]

Forgot to mention: I think the expected behavior here is still a verification failure, but one that happens in a controlled manner rather than via a panic 🙂

[steiza]

This is a great example of one of the corner-cases we should be addressing in #63!