-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix proof of key possession generation #283
Conversation
I've copied |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this approach makes sense. Could we add some unit tests?
Happy to! I held off until there was consensus on whether |
7f85fe3
to
2fb105a
Compare
c2495cc
to
06647de
Compare
06647de
to
2d9a911
Compare
(apologies for all the force pushes) I think this is now ready for review, I've updated sigstore/sigstore to v1.8.9 that @haydentherapper just cut, which includes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!
This commit updates the proof of key possession signature to prioritize email over subject when the claim is present in the token. This matches the current behaviour of Fulcio, which verifies the proof signature using the token's email claim. Signed-off-by: Aditya Sirish <[email protected]>
2d9a911
to
46ff857
Compare
Didn't realize there was another go.mod, I've updated it as well now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Summary
This commit updates the proof of key possession signature to prioritize email over subject when the claim is present in the token. This matches the current behaviour of Fulcio, which verifies the proof signature using the token's email claim.
Closes #282
Release Note
Updated proof of key possession signature to use email when it's present in the token.
Documentation
NONE