Open haydentherapper opened 4 months ago
This is not absolutely necessary
Was there any more discussion on whether this is worth moving forward with?
I don't think cosign does this, from what I've been able to tell.
IIRC yea, Cosign does not check this as well, it only compares signatures - https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1164-L1188
Signatures are malleable, for example an ECDSA signature can be represented in two ways, so a signature should not be considered unique. In this example though, that doesn't present an issue from what I can tell, if anything malleability would cause a comparison failure.
@woodruffw Did you have any thoughts here?
Description
Tracking bug for https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go#L174
This is not absolutely necessary because we do already compare against the signature which should effectively bind the entry to the artifact.