search

sigstore / sigstore-python

A Sigstore client written in Python
https://pypi.org/p/sigstore
Other
233 stars 49 forks source link

Post-mortem for regression in 3.5.0 #1194

Closed woodruffw closed 1 month ago

woodruffw commented 1 month ago

Release 3.5.0 had a minor regression which we only noticed after release: handling of "legacy" sigstore bundles (i.e. .sigstore instead of .sigstore.json) was broken by an overly broad check on .crt/.sig inputs.

No other verification flows were affected, including any flows where a user passes the verification materials explicitly rather than discovering them via file suffixes.

Resolution

We released 3.5.1 with a fix.

Improvement items

We should have an integration test that ensures we don't regress on this CLI behavior again.

woodruffw commented 1 month ago

CC @facutuesca could you try and extend our current integration tests to cover this? Should be as simple as ensuring that sigstore verify ... foo.txt continues to work when foo.txt.sigstore (and only .sigstore, not .sigstore.json) is present.