Additional verification of required fields in the bundle #63
Comments
|
@haydentherapper I was looking into this and I encountered an issue with The proposal says that:
There is something wrong in either the implementation library or the bundle, but I am not sure, what do you think? |
|
Try with this branch and see if that resolves the issue: sigstore/protobuf-specs#337 |
|
@kommendorkapten It fixes that test but it makes an empty bundle: &ProtobufBundle{
Bundle: &protobundle.Bundle{
MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3",
VerificationMaterial: &protobundle.VerificationMaterial{},
Content: nil,
},
},$ go test -run=Test_BundleValidation .
--- FAIL: Test_BundleValidation (0.00s)
--- FAIL: Test_BundleValidation/name:Empty_verification_material (0.00s)
bundle_test.go:182: Protobuf.Bundle() error = <nil>, wantErr bundle validation failed: missing required field: verification_material.public_key
FAIL
FAIL github.com/sigstore/sigstore-go/pkg/bundle 0.190s
FAILI think this test case should fail |
|
I agree that an empty VerificationMaterials should cause a test failure as at least a key hint or certificate should be required. Could this be because we need to add some logic that checks for the one_of behavior extension value? |
Yes, it might require some changes in the library I am using. |
|
@vishal-chdhry I think that makes sense to extend the custom method we have, and avoid reflection. As you said, the number of messages is low, and the so is the general complexity. I'm in favour 👍 |
|
At the sigstore-go client meeting, we said this was a "should" (not must) for v1.0. |
Description
We currently check for an inclusion proof or promise in a validation function when constructing the bundle.
Further verification for required fields would be ideal. Using proto reflection, we could use the field annotation
field_behaviorto determine if the field has been annotated as required.The text was updated successfully, but these errors were encountered: