-
Notifications
You must be signed in to change notification settings - Fork 537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking change: Change SCT verification behavior to default to enforcement #2400
Conversation
"github.com/sigstore/sigstore/pkg/cryptoutils" | ||
) | ||
|
||
// TODO: Move back into verify_test.go once the test cert has been regenerated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI - This was because the test cert is signed with a SHA1 digest algorithm, and golang throws an error in testing. To override, you need to set GODEBUG
, but this can't be set in the test itself. I've tried various things, but the easiest was to simply move this test to its own file with a build tag - Note that this is still tested in GHA tests.
Codecov Report
@@ Coverage Diff @@
## main #2400 +/- ##
==========================================
- Coverage 30.13% 30.06% -0.08%
==========================================
Files 136 136
Lines 8441 8481 +40
==========================================
+ Hits 2544 2550 +6
- Misses 5568 5597 +29
- Partials 329 334 +5
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
The public good CA always returns an embedded SCT. If you want to skip the check, you now must provide a flag to do so. Before, you had to provide a flag to enforce the check. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
1cb8bfd
to
d66805d
Compare
Resolved merge conflict |
Bump! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks great!
@haydentherapper I think this might be breaking tests at head: I think the leaf cert generation doesn't attach an SCT. I have no idea how tests passed though!
|
The public good CA always returns an embedded SCT. If you want to skip the check,
you now must provide a flag to do so. Before, you had to provide a flag
to enforce the check.
Fixes #2382
Summary
Release Note
Changed SCT verification to enforce that the Fulcio certificate has been logged
Documentation