Cannot verify npm attestations #1384

letmaik · 2025-05-14T17:00:14Z

import json
import requests
from sigstore.models import Bundle
from sigstore.verify import Verifier

class DummyPolicy:
    def verify(self, cert) -> None:
        pass

url = "https://registry.npmjs.org/-/npm/v1/attestations/sigstore@3.1.0"
data = requests.get(url).json()
attestation = [a for a in data["attestations"] if a["predicateType"] == "https://slsa.dev/provenance/v1"][0]
bundle = Bundle.from_json(json.dumps(attestation["bundle"]))

verifier = Verifier.production()
policy = DummyPolicy()

type_, payload = verifier.verify_dsse(bundle, policy)

# Output:
# pydantic_core._pydantic_core.ValidationError: 5 validation errors for Dsse
# kind
#   Input should be 'dsse' [type=literal_error, input_value='intoto', input_type=str]
#     For further information visit https://errors.pydantic.dev/2.11/v/literal_error
# spec.DsseV001Schema1.proposedContent
#   Field required [type=missing, input_value={'content': {'envelope': ...d8d17c23fdca569f6efa'}}}, input_type=dict]
#     For further information visit https://errors.pydantic.dev/2.11/v/missing
# spec.DsseV001Schema2.signatures
#   Field required [type=missing, input_value={'content': {'envelope': ...d8d17c23fdca569f6efa'}}}, input_type=dict]
#     For further information visit https://errors.pydantic.dev/2.11/v/missing
# spec.DsseV001Schema2.envelopeHash
#   Field required [type=missing, input_value={'content': {'envelope': ...d8d17c23fdca569f6efa'}}}, input_type=dict]
#     For further information visit https://errors.pydantic.dev/2.11/v/missing
# spec.DsseV001Schema2.payloadHash
#   Field required [type=missing, input_value={'content': {'envelope': ...d8d17c23fdca569f6efa'}}}, input_type=dict]
#     For further information visit https://errors.pydantic.dev/2.11/v/missing

sigstore==3.6.2
sigstore-protobuf-specs==0.3.2
sigstore-rekor-types==0.0.18

woodruffw · 2025-05-14T17:28:59Z

Thanks for opening an issue @letmaik!

FYI, this is happening because NPM uses an intoto type for its attestations, while sigstore-python (semi-)intentionally only supports hashedrekord and dsse.

The intoto type is going away with Rekor v2, so I'm hesitant to add direct support for this. However, I could see an argument for adding verify-only support, since there's certainly a long tail of NPM attestations that use intoto as their type.

CC @jku and @haydentherapper for thoughts as well -- I think we don't currently test intoto-typed Rekor entries in the conformance suite at all 🙂

See #252 for some more context.

haydentherapper · 2025-05-14T18:34:28Z

I believe npm still uses the intoto type since it offers attestation storage as well. We've soft-deprecated intoto in Rekor v1 - it's still enabled in the prod instance, we just don't recommend it.

intoto shouldn't be used by any new clients for signing, but it would be reasonable to add support for verifying more entry types for more conformance across clients. I wouldn't recommend adding support for fetching attestations from Rekor though.

woodruffw · 2025-05-15T16:19:29Z

Re-catting as an enhancement, since this was an intentional feature gap previously.

(The error message is non-ideal, however -- I can look into improving that.)

letmaik added the bug Something isn't working label May 14, 2025

woodruffw added enhancement New feature or request component:cli CLI components component:api Public APIs and removed bug Something isn't working labels May 15, 2025

This was referenced May 16, 2025

Support rekor v2 #1340

Open

improve KindVersion compatibility #1370

Merged

fail reasonably on unsupported kindversions #1394

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cannot verify npm attestations #1384

Cannot verify npm attestations #1384

Uh oh!

Uh oh!

Uh oh!

Cannot verify npm attestations #1384

Cannot verify npm attestations #1384

Comments

Uh oh!

Uh oh!

Uh oh!