Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dsse one sig #226

Merged
merged 6 commits into from
Jul 11, 2024
Merged

Dsse one sig #226

merged 6 commits into from
Jul 11, 2024

Conversation

kommendorkapten
Copy link
Member

Summary

Closes #225

This is implemented by verifying that the envelope has exactly one signature during the verification process. This is a bug-fix, as the protobuf spec for the bundle requires exactly one signature to be present in the envelope.

Note that I did not chose to modify the Signature function. This could be done too, but I think it is better to have the verification process be more strict, as it is a security feature.

Release Note

  • Signature verification of bundles with DSSE envelopes now verifies that the envelope have exactly one signature.

Documentation

N/A

@kommendorkapten
Ran go fmt
4815341 
Signed-off-by: Fredrik Skogman <[email protected]>
@kommendorkapten
Added test to verify that dsse envelope has exact one signature.
0bbe458 
This is a bug-fix, as the protobuf spec for the bundl requires exactly one
signature to be present in the envelope.

Signed-off-by: Fredrik Skogman <[email protected]>
codysoyland
codysoyland requested changes Jul 10, 2024
View reviewed changes
pkg/verify/dsse_test.go Outdated Show resolved Hide resolved
@kommendorkapten
Updates from feeback.
6558ce0 
Better error name, more explicit about the usage.
More explicit test caste name.

Signed-off-by: Fredrik Skogman <[email protected]>
@kommendorkapten kommendorkapten merged commit a0f4538 into main Jul 11, 2024
11 checks passed
@kommendorkapten kommendorkapten deleted the dsse-one-sig branch July 11, 2024 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codysoyland codysoyland codysoyland approved these changes

@phillmv phillmv Awaiting requested review from phillmv

@haydentherapper haydentherapper Awaiting requested review from haydentherapper

@steiza steiza Awaiting requested review from steiza

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improper verification of number of DSSE signatures
3 participants
@kommendorkapten @codysoyland @haydentherapper