GitHub subjects look different to URIs

sigstore · Jan 16, 2023 · fd1a2f1 · fd1a2f1
1 parent 3f76ae3
commit fd1a2f1
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/pkg/server/grpc_server_test.go b/pkg/server/grpc_server_test.go
@@ -711,11 +711,11 @@ func TestAPIWithGitHub(t *testing.T) {
 		JobWorkflowRef: "job/workflow/ref",
 		Sha:            "sha",
 		Trigger:        "trigger",
-		Repository:     "repo",
+		Repository:     "sigstore/fulcio",
 		Workflow:       "workflow",
-		Ref:            "ref",
+		Ref:            "refs/heads/main",
 	}
-	githubSubject := fmt.Sprintf("https://github.com/%s", claims.JobWorkflowRef)
+	githubSubject := fmt.Sprintf("repo:%s:ref:%s", claims.Repository, claims.Ref)
 
 	// Create an OIDC token using this issuer's signer.
 	tok, err := jwt.Signed(githubSigner).Claims(jwt.Claims{
@@ -767,12 +767,13 @@ func TestAPIWithGitHub(t *testing.T) {
 	if len(leafCert.URIs) != 1 {
 		t.Fatalf("unexpected length of leaf certificate URIs, expected 1, got %d", len(leafCert.URIs))
 	}
-	uSubject, err := url.Parse(githubSubject)
+	githubUrl := fmt.Sprintf("https://github.com/%s", claims.JobWorkflowRef)
+	githubUri, err := url.Parse(githubUrl)
 	if err != nil {
-		t.Fatalf("failed to parse subject URI")
+		t.Fatalf("failed to parse expected url")
 	}
-	if *leafCert.URIs[0] != *uSubject {
-		t.Fatalf("subjects do not match: Expected %v, got %v", uSubject, leafCert.URIs[0])
+	if *leafCert.URIs[0] != *githubUri {
+		t.Fatalf("URIs do not match: Expected %v, got %v", githubUri, leafCert.URIs[0])
 	}
 	// Verify custom OID values
 	triggerExt, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2})