Open jleightcap opened 11 months ago
Description
When verifying a signature passed via a file, trailing newlines are not sanitized.
Using the verify_blob API with a signature file generated by sigstore-python, verify_signature fails with
verify_blob
verify_signature
Error: Invalid byte 10, offset 96.
the root issue seems to be differing signature files generated between sigstore-python and cosign (e.g. https://github.com/sigstore/sigstore-rs/tree/main/examples/cosign/verify-blob#sign-the-artifacttxt-file-using-cosign).
(byte 10 == '\n')
\n
This is pretty easily fixed with a .trim() at the fs::read_to_string callsite, but compatibility doesn't seem guaranteed between sigstore clients.
.trim()
fs::read_to_string
Version
https://github.com/sigstore/sigstore-rs/commit/e23046c72ecaf3d4fd63540ed538d8972ac61468
(CC @woodruffw)
jleightcap
commented
11 months ago jleightcap
commented
11 months ago
Description
When verifying a signature passed via a file, trailing newlines are not sanitized.
Using the
verify_blobAPI with a signature file generated by sigstore-python,verify_signaturefails withthe root issue seems to be differing signature files generated between sigstore-python and cosign (e.g. https://github.com/sigstore/sigstore-rs/tree/main/examples/cosign/verify-blob#sign-the-artifacttxt-file-using-cosign).
(byte 10 == '
\n')This is pretty easily fixed with a
.trim()at thefs::read_to_stringcallsite, but compatibility doesn't seem guaranteed between sigstore clients.Version
https://github.com/sigstore/sigstore-rs/commit/e23046c72ecaf3d4fd63540ed538d8972ac61468