-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A compatibility problem of sigstore-python? #122785
Comments
cc @sethmlarson |
I'm able to reproduce the issue:
I've shared this with the Python Sigstore CLI team to see if this is expected. |
Triaging this from the |
I've done some initial triage in sigstore/sigstore-python#1088; the TL;DR is that @S1eepeng is correct about the basic cause, and we have at least 3 possible resolutions available to us. |
This has been completed here, all bundles have been migrated to work with the latest Sigstore CLI: python/release-tools#161 |
Hello!
When I downloaded and verified the
.sigstore
file in https://www.python.org/downloads/release/python-3125/, following the instruction in https://www.python.org/download/sigstore/,it occured an error:note must contain one blank line, delineating the text from the signature block
.But when I tried to verify it in python3.11.0.sigstore, the result was OK. I've compared these two, and found that the sigstore-python versions of python3.11.0 and 3.12.5 are v0.2 and v0.1 respectively, and the .sigstore file of v0.1 missed the "checkpoint" block. I‘ve checked the changelog of sigstore-python and found that it adds verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints since v2.0. After I completed the checkpoint, the verification passed.
The conclusion is that the sigstore-python version used in cPython seems to be too low (<0.2), causing the .sigstore file to fail the client verification. Although this is not a serious problem, but it can cause some usability issues.
The text was updated successfully, but these errors were encountered: