Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify required fields in Sigstore Bundle #317

Merged
merged 1 commit into from
Jan 31, 2023
Merged

Verify required fields in Sigstore Bundle #317

merged 1 commit into from
Jan 31, 2023

Conversation

vlsi
Copy link
Collaborator

@vlsi vlsi commented Jan 22, 2023

Summary

Previously, message_signature.signature was missing, and there was no check to capture that.

The key non-test code here is setSignature(ByteString.copyFrom(signingResult.getSignature())) in BundleFactoryInternal.

Release Note

NONE

Documentation

NONE

@vlsi vlsi added the safe to test conformance testing label label Jan 22, 2023
vlsi
vlsi commented Jan 22, 2023
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactory.java
@@ -38,7 +36,16 @@ public class BundleFactory {
public static String createBundle(KeylessSigningResult signingResult) {
Bundle bundle = BundleFactoryInternal.createBundleBuilder(signingResult).build();
try {
return JSON_PRINTER.print(bundle);
String jsonBundle = BundleFactoryInternal.JSON_PRINTER.print(bundle);
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved the static field to a different class so protobuf does not leak to the public API

@vlsi
Copy link
Collaborator Author

vlsi commented Jan 31, 2023

Can we merge this and release sigstore-java?

@loosebazooka
Copy link
Member

oh hey sorry, I'm still on leave, but I have some time today to maybe get a bunch of things done in bulk.

@vlsi vlsi mentioned this pull request Jan 31, 2023
Open
4 tasks
loosebazooka
loosebazooka reviewed Jan 31, 2023
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm mostly, lemme know what you think of the comments?

sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifierInternal.java Show resolved Hide resolved
sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifierInternal.java Outdated Show resolved Hide resolved
sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifierInternal.java Outdated Show resolved Hide resolved
@vlsi
Verify required fields in Sigstore Bundle
0cf4946 
Previously, message_signature.signature was missing, and there was no
check to capture that.

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
@loosebazooka loosebazooka added safe to test conformance testing label and removed safe to test conformance testing label labels Jan 31, 2023
@vlsi vlsi merged commit 594f74e into sigstore:main Jan 31, 2023
@vlsi vlsi mentioned this pull request Feb 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

@patflynn patflynn Awaiting requested review from patflynn

Assignees
No one assigned
Labels
safe to test conformance testing label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vlsi @loosebazooka