Skip to content

v0.1.2 — security patch

Latest
Latest

Choose a tag to compare

View all tags
@chopmob-cloud chopmob-cloud released this 27 May 05:34
· 8 commits to main since this release
v0.1.2
This tag was signed with the committer’s verified signature.
chopmob-cloud AlgoVoi (Christopher Hopley)
SSH Key Fingerprint: hEBlucsd6fhvRSEirpygmDS2jw6XGpMvAJkOQ7HCuS8
Verified
Learn about vigilant mode.
ad81115
This commit was signed with the committer’s verified signature.
chopmob-cloud AlgoVoi (Christopher Hopley)
SSH Key Fingerprint: hEBlucsd6fhvRSEirpygmDS2jw6XGpMvAJkOQ7HCuS8
Verified
Learn about vigilant mode.

Security patch — 0.1.2

HIGH fixes

H-1 — Vacuous-truth bypass (empty signatures)
ArtefactVerifyResult.ok and verifyArtefact() previously accepted artefacts with zero declared signatures as valid because all([]) / [].every() vacuously return True/true. An unsigned payload with a valid canonical SHA could pass the verifier.

Fix: both Python and TypeScript now require at least one signature to be present and verified before ok is True.

H-2 — Missing payload raises ValueError not KeyError (Python)
verify_artefact() previously raised a bare KeyError if mandate_body was absent. Now accepts mandate_body or payload (matching the TypeScript convention), and raises ValueError with a useful message if neither is present. Same fix applied to missing expected_canonical_sha256.

MEDIUM fixes

M-1 — ECDSA nonce determinism documented
cryptography >= 42 uses OpenSSL 3.x which defaults to RFC 6979 deterministic ECDSA nonces. No API change required; documented in source.

M-2 — verifyES256Strict added (TypeScript)
New export for callers needing malleability protection (lowS: true). verifyES256 retains lowS: false for cross-implementation interop. Both exported from the package root.

M-3 — Registry-known unimplemented algorithms
Already fail-closed (ok: false); comment clarifies intent distinction from UnknownSignatureAlgorithmError.

M-4 — Version consistency
__version__ / VERSION / package.json all bumped to 0.1.2.

M-5 — pqcrypto pinned
pqcrypto>=0.4.0,<0.5pqcrypto==0.4.0 to prevent silent breakage from upstream changes.

Lower severity

  • L-1 .gitignore comment: _attestations/ is intentionally tracked.
  • L-2 Java compactToDerEcdsa: explicit runtime check that SEQUENCE body length fits single-byte ASN.1 encoding (safe for P-256, fails loudly for anything larger).
  • L-3 PHP jsonEscape: ASCII-only scope documented in comment.
  • L-5 Python verify.py module docstring: payload size limit absence documented.

Test coverage added

  • +7 Python security regression tests (tests/test_security.py)
  • +7 TypeScript security regression tests (ts/tests/security.test.ts)
  • Full suite: 34 Python + 33 TypeScript all green

Published

Assets 2
Loading