search

sigstore / sigstore-python

A Sigstore client written in Python
https://pypi.org/p/sigstore
Other
228 stars 49 forks source link

Python 3.14.0a1 invalid signature, OIDC Issuer does not match #1204

Closed mendhak closed 1 week ago

mendhak commented 1 week ago

Trying to sigstore verify the 3.14.0a1 release fails. I believe this is a documentation error, the OIDC issuer is listed as Google instead of Github.

image

Following the Google instructions: 

python3 -m sigstore verify identity --bundle Python-3.14.0a1.tgz.sigstore --cert-identity hugo@python.org --cert-oidc-issuer https://accounts.google.com Python-3.14.0a1.tgz

produces

[15:47:38] ERROR    FAIL: Python-3.14.0a1.tgz                                                               _cli.py:1082
           ERROR    Certificate's OIDCIssuer does not match (got 'https://github.com/login/oauth', expected errors.py:41
                    'https://accounts.google.com')                                                                      
                    For detailed error information, run sigstore with the `--verbose` flag.

The OIDC issuer seems to be Github rather than Google as specified on the page

So, you can modify the command to use the Github issuer and it will work:

python3 -m sigstore verify identity --bundle Python-3.14.0a1.tgz.sigstore --cert-identity hugo@python.org --cert-oidc-issuer https://github.com/login/oauth Python-3.14.0a1.tgz

Please could the table be updated to mention the Github OIDC issuer.

woodruffw commented 1 week ago

Thanks for the report @mendhak. The documentation you're referring to doesn't live in this repo, though -- this is just the client, I believe the identity table lives somewhere in the Python GitHub org.

CC @sethmlarson to confirm whether this is an error in the docs 🙂

mendhak commented 1 week ago

Oh oops I see, there was a link at the bottom of the Sigstore information page telling to post here so just assumed this was the place, sorry.

image

Happy to repost elsewhere if anyone lets me know, cheers.

di commented 1 week ago

Thanks @mendhak, this is the right place to report issues with that page since we don't really have a better issue tracker for it. I've updated the docs accordingly!

mendhak commented 1 week ago

Thank you everyone!

woodruffw commented 1 week ago

Thank you everyone!

Thank you for verifying signatures!