Fix verify DSSE bundles (after signing) (#258)

* Fixes #257 When signing, if you optionally supply a trusted root we will attempt to verify the bundle before we return it. Previously we were using the wrong artifact digest for DSSE signing. We could add a way to specify the artifact referred to in DSSE, but we are already trusting the certificate identity in the user-supplied id token. --------- Signed-off-by: Zach Steindler <[email protected]>
sigstore · Aug 6, 2024 · 004c425 · 004c425
1 parent 6f7e99d
commit 004c425
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/pkg/sign/signer.go b/pkg/sign/signer.go
@@ -149,7 +149,15 @@ func Bundle(content Content, keypair Keypair, opts BundleOptions) (*protobundle.
 			return nil, err
 		}
 
-		artifactOpts := verify.WithArtifact(bytes.NewReader(content.PreAuthEncoding()))
+		// Generally, you should provide an artifact when verifying.
+		//
+		// However, we just signed the DSSE object trusting the user has
+		// referenced the artifact(s) they intended.
+		artifactOpts := verify.WithoutArtifactUnsafe()
+		if bundle.GetMessageSignature() != nil {
+			artifactOpts = verify.WithArtifact(bytes.NewReader(content.PreAuthEncoding()))
+		}
+
 		policy := verify.NewPolicy(artifactOpts, verify.WithoutIdentitiesUnsafe())
 		_, err = sev.Verify(protobundle, policy)
 		if err != nil {