Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry pick vulnerability PRs to release-1.5 #1486

merged 3 commits into from Feb 18, 2022


Copy link

@priyawadhwa priyawadhwa commented Feb 18, 2022

Cherry picks


nsmith5 and others added 2 commits Feb 18, 2022
* Make sure signature in Rekor bundle matches signature being verified

Signed-off-by: Priya Wadhwa <>

* Only print "fulcio verified" when using Fulcio

Currently we tell users that we've verified against the Fulcio root
trust when verifying but this isn't always true. This work ensures we
only say this when we actually use the Fulcio root cert for

Signed-off-by: Nathan Smith <>

* Add e2e test

Signed-off-by: Nathan Smith <>

Co-authored-by: Priya Wadhwa <>
Signed-off-by: Priya Wadhwa <>
@cpanato cpanato requested a review from dlorenc Feb 18, 2022
Signed-off-by: Dan Lorenc <>
@dlorenc dlorenc merged commit c09e04a into sigstore:release-1.5 Feb 18, 2022
21 checks passed
@priyawadhwa priyawadhwa deleted the cps branch Feb 18, 2022
@cpanato cpanato added this to the v1.5.2 milestone Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

5 participants