Non-binary evidence with a foreign newline convention cannot be verified.

Overview

Universal newline support is enabled by default in all calls that read data. This means that any non-binary evidence with a foreign newline convention cannot be verified. When the evidence is read, all line endings are converted to '\n' which changes the expected digest.

Example

Actual Digest

$ openssl dgst -sha256 /tmp/evidence.txt
SHA2-256(/tmp/evidence.txt)= 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

Digest Mismatch

>>> open('/tmp/evidence.txt', 'r').read().encode()
b'\n'
>>> hashlib.sha256(open('/tmp/evidence.txt', 'r').read().encode()).hexdigest()
'01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'

Expected Digest

>>> open('/tmp/evidence.txt', 'r', newline='').read().encode()
b'\r\n'
>>> hashlib.sha256(open('/tmp/evidence.txt', 'r', newline='').read().encode()).hexdigest()
'7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6'

Proposed Solution

Set universal_newlines=True when fetching local commands here.

If you must retain evidence with foreign newline conventions then set binary_content = True.

ComplianceAsCode / auditree-framework

Non-binary evidence with a foreign newline convention cannot be verified. #155