8000 Verifier: Use correct Timestamp hash algorithm by jku · Pull Request #1385 · sigstore/sigstore-python · GitHub
[go: up one dir, main page]
Skip to content

Verifier: Use correct Timestamp hash algorithm #1385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 27, 2025
Merged

Verifier: Use correct Timestamp hash algorithm #1385

merged 5 commits into from
May 27, 2025

Conversation

jku
Copy link
Member
@jku jku commented May 15, 2025
edited
Loading

Don't assume sha256. Use verify_message() instead: it looks up the correct hash from the the timestamp response.

@jku jku force-pushed the use-correct-hash-algo branch from 52f38a3 to 6305fb1 Compare May 15, 2025 08:26
@jku jku changed the title Verifier: Use correct Timestamp hash algorithm [DRAFT] Verifier: Use correct Timestamp hash algorithm May 16, 2025
@jku
Verifier: Use correct algorithm for Timestamp hash
0da31a1 
Don't assume sha256. Use verify_message() from new rfc3161-client
instead: it looks up the correct hash from the timestamp response.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the use-correct-hash-algo branch from 6305fb1 to 0da31a1 Compare May 20, 2025 07:44
@jku jku changed the title [DRAFT] Verifier: Use correct Timestamp hash algorithm Verifier: Use correct Timestamp hash algorithm May 20, 2025
@jku
Copy link
Member Author
jku commented May 20, 2025
edited
Loading

lol, I made another seemingly unrelated fix in the new rfc3161-client and now lint fails because of the combination of these two fixes... trailofbits/rfc3161-client#152

This is just a lint issue so I silenced it for now but we can also wait for next rfc3161-client release.

@jku jku linked an issue May 21, 2025 that may be closed by this pull request
TSA verification only works for sha256 #1375
Closed
jku added 2 commits May 21, 2025 10:26
@jku jku marked this pull request as ready for review May 21, 2025 07:28
woodruffw
woodruffw previously approved these changes May 23, 2025
View reviewed changes
Copy link
Member
@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @jku!

(Needs deconflict but otherwise good to go.)

@jku jku enabled auto-merge (squash) May 26, 2025 07:04
@jku jku requested a review from woodruffw May 26, 2025 07:04
woodruffw
woodruffw approved these changes May 27, 2025
View reviewed changes
Copy link
Member
@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@jku jku merged commit 0fcbdc7 into sigstore:main May 27, 2025
23 checks passed
@woodruffw woodruffw added enhancement New feature or request component:verification Core verification functionality labels May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
component:verification Core verification functionality enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TSA verification only works for sha256
2 participants
@jku @woodruffw
0