steiza
commented
1 year ago There's more to do, but the initial intent is covered by https://github.com/sigstore/sigstore-conformance/pull/84, so I think we can close this out.
Closed steiza closed 1 year ago
steiza
commented
1 year ago There's more to do, but the initial intent is covered by https://github.com/sigstore/sigstore-conformance/pull/84, so I think we can close this out.
Description
The existing tests on https://github.com/sigstore/sigstore-conformance/blob/main/test/test_bundle.py could exercise more failure paths, like ensuring you're using the right trust root, ensuring the signed entry timestamp is from the correct timeframe, and that the message signature and digest haven't been tampered with.