Closed S1eepeng closed 22 hours ago
cc @sethmlarson
I'm able to reproduce the issue:
python -m sigstore --version
sigstore 3.1.0
python -m sigstore verify identity --verbose --bundle Python-3.12.5.tgz.sigstore --cert-identity thomas@python.org --cert-oidc-issuer https://accounts.google.com Python-3.12.5.tgz
[15:49:23] DEBUG parsed arguments Namespace(verbose=1, staging=False, trust_config=None, subcommand='verify', verify_subcommand='identity', certificate=None, signature=None, _cli.py:421
bundle=PosixPath('Python-3.12.5.tgz.sigstore'), files=[PosixPath('Python-3.12.5.tgz')], offline=False, cert_identity='thomas@python.org',
cert_oidc_issuer='https://accounts.google.com')
DEBUG TUF metadata: /home/sethmlarson/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev tuf.py:114
DEBUG TUF targets cache: /home/sethmlarson/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev tuf.py:115
[15:49:24] DEBUG Found and verified trusted root tuf.py:152
DEBUG Using bundle from: Python-3.12.5.tgz.sigstore _cli.py:701
DEBUG 0.1 bundle contains inclusion proof without checkpoint; ignoring models.py:452
DEBUG Verifying contents from: Python-3.12.5.tgz _cli.py:725
DEBUG Found <Name(O=sigstore.dev,CN=sigstore-intermediate)> as issuer, verifying if it is a ca sct.py:180
DEBUG attempting to verify SCT with key ID dd3d306ac6c7113263191e1c99673702a24a5eb8de3cadff878a72802f29ee8e sct.py:234
DEBUG Successfully verified signing certificate validity... verifier.py:196
ERROR FAIL: Python-3.12.5.tgz _cli.py:745
ERROR invalid log entry: note must contain one blank line, delineating the text from the signature block errors.py:41
Raising original exception:
ERROR invalid log entry: note must contain one blank line, delineating the text from the signature block errors.py:41
Raising original exception:
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/tmp/venv/lib/python3.12/site-packages/sigstore/__main__.py", line 22, in <module>
main()
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 445, in main
e.log_and_exit(_logger, args.verbose >= 1)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/errors.py", line 46, in log_and_exit
raise self
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 432, in main
_verify_identity(args)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 746, in _verify_identity
exc.log_and_exit(_logger, args.verbose >= 1)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/errors.py", line 46, in log_and_exit
raise self
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 742, in _verify_identity
_verify_common(verifier, hashed, bundle, policy_)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/_cli.py", line 822, in _verify_common
verifier.verify_artifact(
File "/tmp/venv/lib/python3.12/site-packages/sigstore/verify/verifier.py", line 317, in verify_artifact
self._verify_common_signing_cert(bundle, policy)
File "/tmp/venv/lib/python3.12/site-packages/sigstore/verify/verifier.py", line 205, in _verify_common_signing_cert
raise VerificationError(f"invalid log entry: {exc}")
sigstore.errors.VerificationError: invalid log entry: note must contain one blank line, delineating the text from the signature block
I've shared this with the Python Sigstore CLI team to see if this is expected.
Triaging this from the sigstore-python
side; thank you for the ping @sethmlarson!
I've done some initial triage in https://github.com/sigstore/sigstore-python/issues/1088; the TL;DR is that @S1eepeng is correct about the basic cause, and we have at least 3 possible resolutions available to us.
This has been completed here, all bundles have been migrated to work with the latest Sigstore CLI: https://github.com/python/release-tools/issues/161
Hello!
When I downloaded and verified the
.sigstore
file in https://www.python.org/downloads/release/python-3125/, following the instruction in https://www.python.org/download/sigstore/,it occured an error:note must contain one blank line, delineating the text from the signature block
.But when I tried to verify it in python3.11.0.sigstore, the result was OK. I've compared these two, and found that the sigstore-python versions of python3.11.0 and 3.12.5 are v0.2 and v0.1 respectively, and the .sigstore file of v0.1 missed the "checkpoint" block. I‘ve checked the changelog of sigstore-python and found that it adds verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints since v2.0. After I completed the checkpoint, the verification passed.
The conclusion is that the sigstore-python version used in cPython seems to be too low (<0.2), causing the .sigstore file to fail the client verification. Although this is not a serious problem, but it can cause some usability issues.