Closed woodruffw closed 1 month ago
Forgot to mention: I think the expected behavior here is still a verification failure, but one that happens in a controlled manner rather than via a panic
🙂
This is a great example of one of the corner-cases we should be addressing in #63!
Description
I observed this behavior while trying to cross-check
sigstore-python
's handling ofv0.1
bundles with other clients.Reproduction steps:
Running that fails with:
From a quick triage, that looks like it fails on this
swag.String
ctor:https://github.com/sigstore/sigstore-go/blob/004c4250f082b69a03df43a95930fd72cef63549/pkg/tlog/entry.go#L132
...which I suspect fails because
InclusionProof.Checkpoint
is completely missing from the bundle, which gets silently ignored during unpacking becauseprotobuf
is very malleable about missing items.Version
I tested this with
go install github.com/sigstore/sigstore-go/cmd/sigstore-go@latest
, which I believe should be installing the latest tag (v0.5.1
).Additional context
This is arguably a knock-on bug: the Sigstore bundle in question was generated by
sigstore-python
in the1.x
series, which didn't include thecheckpoint
field in its bundles (since it wasn't clear from thev0.1
bundle spec that it was required).I'm tracking the associated behavior in sigstore-python here: https://github.com/sigstore/sigstore-python/issues/1088