sigstore
diff --git a/‎CHANGELOG.md
Lines changed: 10 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 10 additions & 1 deletion
diff --git a/‎sigstore/__init__.py
Lines changed: 1 addition & 1 deletion b/‎sigstore/__init__.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎sigstore/_internal/trust.py
Lines changed: 8 additions & 2 deletions b/‎sigstore/_internal/trust.py
Lines changed: 8 additions & 2 deletions
diff --git a/‎test/assets/trusted_root/trustedroot.v1.json
Lines changed: 14 additions & 0 deletions b/‎test/assets/trusted_root/trustedroot.v1.json
Lines changed: 14 additions & 0 deletions
diff --git a/‎test/unit/internal/test_trust.py
Lines changed: 4 additions & 1 deletion b/‎test/unit/internal/test_trust.py
Lines changed: 4 additions & 1 deletion
@@ -8,6 +8,14 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [3.6.3]
+
+### Fixed
+
+* Verify: Avoid hard failure if trusted root contains unsupported keytypes (as verification
+  may succeed without that key).
+  [#1425](https://github.com/sigstore/sigstore-python/pull/1425)
+
 ## [3.6.2]
 
 ### Fixed
@@ -608,7 +616,8 @@ This is a corrective release for [2.1.1].
 
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.3...HEAD
+[3.6.3]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...v3.6.3
 [3.6.2]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...v3.6.2
 [3.6.1]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
 [3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.5.3...v3.6.0
 
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "3.6.2"
+__version__ = "3.6.3"
@@ -18,6 +18,7 @@
 
 from __future__ import annotations
 
+import logging
 from collections.abc import Iterable
 from dataclasses import dataclass
 from datetime import datetime, timezone
@@ -60,6 +61,8 @@
 )
 from sigstore.errors import Error, MetadataError, VerificationError
 
+_logger = logging.getLogger(__name__)
+
 
 def _is_timerange_valid(period: TimeRange | None, *, allow_expired: bool) -> bool:
     """
@@ -167,8 +170,11 @@ def __init__(self, public_keys: list[_PublicKey] = []):
         self._keyring: dict[KeyID, Key] = {}
 
         for public_key in public_keys:
-            key = Key(public_key)
-            self._keyring[key.key_id] = key
+            try:
+                key = Key(public_key)
+                self._keyring[key.key_id] = key
+            except VerificationError as e:
+                _logger.warning(f"Failed to load a trusted root key: {e}")
 
     def verify(self, *, key_id: KeyID, signature: bytes, data: bytes) -> None:
         """
 
@@ -14,6 +14,20 @@
             "logId": {
                 "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
             }
+        },
+        {
+            "baseUrl": "https://example.com/unsupported_key",
+            "hashAlgorithm": "SHA2_256",
+            "publicKey": {
+                "rawBytes": "",
+                "keyDetails": "PKIX_ED25519",
+                "validFor": {
+                    "start": "2021-01-12T11:53:27.000Z"
+                }
+            },
+            "logId": {
+                "keyId": "xNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+            }
         }
     ],
     "certificateAuthorities": [
 
@@ -54,11 +54,14 @@ def test_good(self, asset):
         assert (
             root._inner.media_type == TrustedRoot.TrustedRootType.TRUSTED_ROOT_0_1.value
         )
-        assert len(root._inner.tlogs) == 1
+        assert len(root._inner.tlogs) == 2
         assert len(root._inner.certificate_authorities) == 2
         assert len(root._inner.ctlogs) == 2
         assert len(root._inner.timestamp_authorities) == 1
 
+        # only one of the two rekor keys is actually supported
+        assert len(root.rekor_keyring(KeyringPurpose.VERIFY)._keyring) == 1
+
     def test_bad_media_type(self, asset):
         path = asset("trusted_root/trustedroot.badtype.json")