Proof of key possession is inconsistent with Fulcio

[adityasaky]

Description

sigstore-go computes the proof of key possession signature over the token's subject, while Fulcio verifies it using the token's email address. This results in the signing flow (using the public good instance) failing:

Error: Fulcio returned 400: {"code":3,"message":"The signature supplied in the request could not be verified","details":[]}

Related: sigstore/cosign#3777

Version

v0.5.1

[adityasaky]

@haydentherapper suggested using sigstore/sigstore's SubjectFromToken so that the behavior is consistent. Happy to submit a patch!

[haydentherapper]

Thanks for finding this! Yes, I think using that function would be a good fix.

I think we didn't catch this because sigstore-go signing was only used for CI identities whose tokens don't have the email_address claim. Handling tokens with emails is an exception - in a future v2 of Fulcio, we should sign over only one value, not dynamically choose, but in the meantime, using SubjectFromToken should be sufficient.

[steiza]

Changing the behavior is a little strange, in that what sigstore-go signing does now is the desired end behavior - but I understand we're a bit away from a Fulcio v2.0 release. @adityasaky it sounds like you'll post a patch?

[haydentherapper]

Changing this behavior should be in line with all other clients as well - if they support email-based identity providers, this patch is needed.

We could support multiple PoPs in Fulcio as well, but with how the code is set up currently, that is not possible.