We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Description
When verifying a signature passed via a file, trailing newlines are not sanitized.
Using the verify_blob API with a signature file generated by sigstore-python, verify_signature fails with
verify_blob
verify_signature
Error: Invalid byte 10, offset 96.
the root issue seems to be differing signature files generated between sigstore-python and cosign (e.g. https://github.com/sigstore/sigstore-rs/tree/main/examples/cosign/verify-blob#sign-the-artifacttxt-file-using-cosign).
(byte 10 == '\n')
\n
This is pretty easily fixed with a .trim() at the fs::read_to_string callsite, but compatibility doesn't seem guaranteed between sigstore clients.
.trim()
fs::read_to_string
Version
e23046c
The text was updated successfully, but these errors were encountered:
(CC @woodruffw)
Sorry, something went wrong.
the errors are not quite the same now: Verification failed Base64DecodeError(InvalidByte(0, 45))
Verification failed Base64DecodeError(InvalidByte(0, 45))
I'll have a look at the code but the differences I can see in the data are:
I think compatibility would be useful... but from sigstore-python perspective these files are not the "API": the signature bundle is.
cosigns use of double-base64 seems useless in practice.
Verified in code: there are two differences that would need to be handled to make verify-blob work with data from sigstore-python:
I will make an attempt at fixing this, I think it looks like something the CLI layer can take care of.
Successfully merging a pull request may close this issue.
Description
When verifying a signature passed via a file, trailing newlines are not sanitized.
Using the
verify_blob
API with a signature file generated by sigstore-python,verify_signature
fails withthe root issue seems to be differing signature files generated between sigstore-python and cosign (e.g. https://github.com/sigstore/sigstore-rs/tree/main/examples/cosign/verify-blob#sign-the-artifacttxt-file-using-cosign).
(byte 10 == '
\n
')This is pretty easily fixed with a
.trim()
at thefs::read_to_string
callsite, but compatibility doesn't seem guaranteed between sigstore clients.Version
e23046c
The text was updated successfully, but these errors were encountered: