hugovk
commented
1 month ago cc @sethmlarson
Closed S1eepeng closed 22 hours ago
hugovk
commented
1 month ago cc @sethmlarson
sethmlarson
commented
1 month ago I'm able to reproduce the issue:
python -m sigstore --version
sigstore 3.1.0
python -m sigstore verify identity --verbose --bundle Python-3.12.5.tgz.sigstore --cert-identity thomas@python.org --cert-oidc-issuer https://accounts.google.com Python-3.12.5.tgz
[15:49:23] DEBUG parsed arguments Namespace(verbose=1, staging=False, trust_config=None, subcommand='verify', verify_subcommand='identity', certificate=None, signature=None, _cli.py:421
bundle=PosixPath('Python-3.12.5.tgz.sigstore'), files=[PosixPath('Python-3.12.5.tgz')], offline=False, cert_identity='thomas@python.org',
cert_oidc_issuer='https://accounts.google.com')
DEBUG TUF metadata: /home/sethmlarson/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev tuf.py:114
DEBUG TUF targets cache: /home/sethmlarson/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev tuf.py:115
[15:49:24] DEBUG Found and verified trusted root tuf.py:152
DEBUG Using bundle from: Python-3.12.5.tgz.sigstore _cli.py:701
DEBUG 0.1 bundle contains inclusion proof without checkpoint; ignoring models.py:452
DEBUG Verifying contents from: Python-3.12.5.tgz _cli.py:725
DEBUG Found <Name(O=sigstore.dev,CN=sigstore-intermediate)> as issuer, verifying if it is a ca sct.py:180
DEBUG attempting to verify SCT with key ID dd3d306ac6c7113263191e1c99673702a24a5eb8de3cadff878a72802f29ee8e sct.py:234
DEBUG Successfully verified signing certificate validity... verifier.py:196
ERROR FAIL: Python-3.12.5.tgz _cli.py:745
ERROR invalid log entry: note must contain one blank line, delineating the text from the signature block errors.py:41
Raising original exception:
ERROR invalid log entry: note must contain one blank line, delineating the text from the signature block errors.py:41
Raising original exception:
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/tmp/venv/lib/python3.12/site-packages/sigstore/__main__.py", line 22, in <module>
main()
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 445, in main
e.log_and_exit(_logger, args.verbose >= 1)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/errors.py", line 46, in log_and_exit
raise self
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 432, in main
_verify_identity(args)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 746, in _verify_identity
exc.log_and_exit(_logger, args.verbose >= 1)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/errors.py", line 46, in log_and_exit
raise self
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 742, in _verify_identity
_verify_common(verifier, hashed, bundle, policy_)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 822, in _verify_common
verifier.verify_artifact(
File "/tmp/venv/lib/python3.12/site-packages/sigstore/verify/verifier.py", line 317, in verify_artifact
self._verify_common_signing_cert(bundle, policy)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/verify/verifier.py", line 205, in _verify_common_signing_cert
raise VerificationError(f"invalid log entry: {exc}")
sigstore.errors.VerificationError: invalid log entry: note must contain one blank line, delineating the text from the signature blockI've shared this with the Python Sigstore CLI team to see if this is expected.
woodruffw
commented
1 month ago Triaging this from the sigstore-python side; thank you for the ping @sethmlarson!
woodruffw
commented
1 month ago I've done some initial triage in https://github.com/sigstore/sigstore-python/issues/1088; the TL;DR is that @S1eepeng is correct about the basic cause, and we have at least 3 possible resolutions available to us.
sethmlarson
commented
22 hours ago This has been completed here, all bundles have been migrated to work with the latest Sigstore CLI: https://github.com/python/release-tools/issues/161
Hello!
When I downloaded and verified the
.sigstorefile in https://www.python.org/downloads/release/python-3125/, following the instruction in https://www.python.org/download/sigstore/,it occured an error:note must contain one blank line, delineating the text from the signature block.But when I tried to verify it in python3.11.0.sigstore, the result was OK. I've compared these two, and found that the sigstore-python versions of python3.11.0 and 3.12.5 are v0.2 and v0.1 respectively, and the .sigstore file of v0.1 missed the "checkpoint" block. I‘ve checked the changelog of sigstore-python and found that it adds verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints since v2.0. After I completed the checkpoint, the verification passed.
The conclusion is that the sigstore-python version used in cPython seems to be too low (<0.2), causing the .sigstore file to fail the client verification. Although this is not a serious problem, but it can cause some usability issues.