Open
Description
I'm fixing our conformance test suite support (#1443) and found a test that fails:
test_verify_dsse_bundle_with_trust_root
- test uses custom trust root
trusted_root.d.json - the bundle
d.txt.good.sigstore.jsoncontains a rekor v1 entry with integrated time and a TSA timestamp - test expects success but sigstore-python thinks there are not enough valid timestamps
This is partially related to #1421 but I think it's also something more: "signer certificate not found?"
Should test the timestamp content with plain rfc3161-client with the cert chain from the custom trusted root.
E
E [18:33:39] ERROR Error while verifying certificates: Unable to create signers: verifier.py:138
E ErrorStack([Error { code: 276824192, library: "PKCS7 routines",
E function: "PKCS7_get0_signers", reason: "signer certificate not
E found", file: "crypto/pkcs7/pk7_smime.c", line: 413 }])
E Traceback (most recent call last):
E File
E "/home/jkukkonen/.venvs/sigstore-python/lib/python3.11/site-packages
E /rfc3161_client/verify.py", line 321, in _verify_tsr_with_chains
E self._verify_signed_data(p7, verification_certificate)
E File
E "/home/jkukkonen/.venvs/sigstore-python/lib/python3.11/site-packages
E /rfc3161_client/verify.py", line 339, in _verify_signed_data
E return _rust_verify.pkcs7_verify(sig, list(certificates))
E ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
E ValueError: Unable to create signers: ErrorStack([Error { code:
E 276824192, library: "PKCS7 routines", function:
E "PKCS7_get0_signers", reason: "signer certificate not found", file:
E "crypto/pkcs7/pk7_smime.c", line: 413 }])
E
E During handling of the above exception, another exception occurred:
E
E Traceback (most recent call last):
E File
E "/home/jkukkonen/src/sigstore-python/sigstore/verify/verifier.py",
E line 135, in _verify_signed_timestamp
E verifier.verify_message(timestamp_response, message) # type:
E ignore[attr-defined]
E ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
E File
E "/home/jkukkonen/.venvs/sigstore-python/lib/python3.11/site-packages
E /rfc3161_client/verify.py", line 181, in verify_message
E return self.verify(timestamp_response, hashed_message)
E ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
E File
E "/home/jkukkonen/.venvs/sigstore-python/lib/python3.11/site-packages
E /rfc3161_client/verify.py", line 199, in verify
E self._verify_tsr_with_chains(timestamp_response)
E File
E "/home/jkukkonen/.venvs/sigstore-python/lib/python3.11/site-packages
E /rfc3161_client/verify.py", line 324, in _verify_tsr_with_chains
E raise VerificationError(msg)
E rfc3161_client.errors.VerificationError: Error while verifying
E certificates: Unable to create signers: ErrorStack([Error { code:
E 276824192, library: "PKCS7 routines", function:
E "PKCS7_get0_signers", reason: "signer certificate not found", file:
E "crypto/pkcs7/pk7_smime.c", line: 413 }])
E ERROR FAIL: _cli.py:1071
E SHA2_256:330a043220fa13e01d68a7db39c89e12b0c4c3b6a0346fe624b0903f1303b5
E b2
E ERROR not enough timestamps validated to meet the validation threshold (0/1)