Closed codysoyland closed 2 months ago
Could we update the Content interface to include a function to return a subject digest?
Ah, this was definitely a mistake on my part.
I was trying to be clever by having sigstore-go
signing only be aware of the DSSE container, and not if DSSE was around an in-toto statement (or something else). However, this means that when working with DSSE, we don't have any idea what the artifact the document contained by DSSE refers to.
We could add a method to content to get an artifact hash, but that information would have to be supplied by the user, and we'd be verifying it against the DSSE object, also supplied by the user. Instead I think it makes sense to skip verifying the artifact in the post-signing verification case, if we're working with DSSE (see #258).
Description
As noted in https://github.com/sigstore/sigstore-go/issues/256:
If
BundleOptions.TrustedRoot
is set to a trusted root, thensign.Bundle
will attempt to verify the bundle against the given trusted root. If the bundle content is DSSE, the artifact provided to the verifier is the PAE bytes of the envelope, however, the verifier requires that ifWithArtifact
/WithArtifactDigest
is provided, the digest is compared against the subjects in the attestation, not the PAE bytes of the DSSE.The routine that does this verification should be updated to extract the subject digest and use
WithArtifactDigest
when the provided content is a DSSE.Version