Better test for the Timestamp Threshold

Signed-off-by: Alexis <[email protected]>

sigstore/verify/verifier.py

@@ -59,6 +59,10 @@
 # From https://github.com/sigstore/sigstore-go/blob/e92142f0734064ebf6001f188b7330a1212245fe/pkg/verify/tsa.go#L29
 MAX_ALLOWED_TIMESTAMP: int = 32
 
+# When verifying a timestamp, this threshold represents the minimum number of required
+# timestamps to consider a signature valid.
+VERIFY_TIMESTAMP_THRESHOLD: int = 1
+
 
 class Verifier:
     """
@@ -82,8 +86,6 @@ def __init__(self, *, rekor: RekorClient, trusted_root: TrustedRoot):
         ]
         self._trusted_root = trusted_root
 
-        self.verify_timestamp_threshold: int = 1
-
     @classmethod
     def production(cls, *, offline: bool = False) -> Verifier:
         """
@@ -249,10 +251,10 @@ def _verify_common_signing_cert(
             verified_timestamp = self._verify_timestamp_authority(bundle)
             # The threshold is set to (1) by default but kept as a variable to allow
             # this value to change
-            if verified_timestamp < self.verify_timestamp_threshold:
+            if verified_timestamp < VERIFY_TIMESTAMP_THRESHOLD:
                 msg = (
                     f"Not enough Timestamp validated to meet the Validation "
-                    f"Threshold ({verified_timestamp}/{self.verify_timestamp_threshold})"
+                    f"Threshold ({verified_timestamp}/{VERIFY_TIMESTAMP_THRESHOLD})"
                 )
                 raise VerificationError(msg)
 

test/assets/tsa/bundle.txt.sigstore

@@ -46,6 +46,9 @@
       "rfc3161Timestamps": [
         {
           "signedTimestamp": "MIIEgDADAgEAMIIEdwYJKoZIhvcNAQcCoIIEaDCCBGQCAQMxDTALBglghkgBZQMEAgEwgc8GCyqGSIb3DQEJEAEEoIG/BIG8MIG5AgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgF2fxhmJk3kyzmUDGBhn8kEIYUvISuRhDjuVtN7jtKFsCFCfDYd/d4RagLKlLgkIpKC2V2+RxGA8yMDI0MTAzMTEwMjMzOVowAwIBAQIUN08D3ZVEkDYmzP0I9qnAMAsttoWgNKQyMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmegggHQMIIBzDCCAXKgAwIBAgIULk1PjItZiOSoI+mHqdkSfcRIYS0wCgYIKoZIzj0EAwIwMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0ZTAeFw0yNDEwMzExMDE2NDJaFw0zMzEwMzExMDE5NDJaMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARbAXMyQHIMuZtXY1bXlIWCKDPKts1j1JHB9n0j8teSYKs6ju9Z+v0joTcaiD0F0R+YEh6xWB9+71jkg57qsJqCo2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFHr84ZbK4DrUPCzsEQbBjdT5OnRBMB8GA1UdIwQYMBaAFCkN6IAfJdG+HSOn1pSw9FnTuO1RMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMCA0gAMEUCIAha0d6Cgx9r/S1itcwzCCLpj6Oddp7XHyQ6c9iskT4GAiEA7HrjYsLE4XjdsUA6OgsoO7h5IzkbsVEYUAnKEFchoKYxggGoMIIBpAIBATBIMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBJbnRlcm1lZGlhdGUCFC5NT4yLWYjkqCPph6nZEn3ESGEtMAsGCWCGSAFlAwQCAaCB8zAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI0MTAzMTEwMjMzOVowLwYJKoZIhvcNAQkEMSIEIIwtSBR2KyJoDjyGAgwVokItIcv6NZXcq6WsrdZ7xm2eMIGFBgsqhkiG9w0BCRACLzF2MHQwcjBwBCB6Z+5bJvtyJlSFYWzFldMxC5t4LAmOKRAO8Y3HALjAOTBMMDSkMjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwGA1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlAhQuTU+Mi1mI5Kgj6Yep2RJ9xEhhLTAKBggqhkjOPQQDAgRGMEQCIAY58TwPQDEm1hewp/Vn7ovaby/hnPzwxzRQulfj7+wvAiAAsjqb+meU6oJVgYia9YWVxeMAC+27c4NgtZsn3lXCJQ=="
+        },
+        {
+          "signedTimestamp": "MIIEyjADAgEAMIIEwQYJKoZIhvcNAQcCoIIEsjCCBK4CAQMxDTALBglghkgBZQMEAgEwgeQGCyqGSIb3DQEJEAEEoIHUBIHRMIHOAgEBBgkrBgEEAYO/MAIwUTANBglghkgBZQMEAgMFAARAm3HSJL1i83hdltRq0+o9czGb+8KJDKra4t/3JRlnPKcjI8PZm6XBHXx6zG4UuMXaDEZjR1wuXDre9G9zvN7AQwIUJK4QC2mcxSdWnCqd1bF0JQo/lgsYDzIwMjQxMDMxMTMzMTQ0WjADAgEBAgkA3hCi/XbCJHegNKQyMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmegggHQMIIBzDCCAXKgAwIBAgIULk1PjItZiOSoI+mHqdkSfcRIYS0wCgYIKoZIzj0EAwIwMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0ZTAeFw0yNDEwMzExMDE2NDJaFw0zMzEwMzExMDE5NDJaMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARbAXMyQHIMuZtXY1bXlIWCKDPKts1j1JHB9n0j8teSYKs6ju9Z+v0joTcaiD0F0R+YEh6xWB9+71jkg57qsJqCo2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFHr84ZbK4DrUPCzsEQbBjdT5OnRBMB8GA1UdIwQYMBaAFCkN6IAfJdG+HSOn1pSw9FnTuO1RMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMCA0gAMEUCIAha0d6Cgx9r/S1itcwzCCLpj6Oddp7XHyQ6c9iskT4GAiEA7HrjYsLE4XjdsUA6OgsoO7h5IzkbsVEYUAnKEFchoKYxggHdMIIB2QIBATBIMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBJbnRlcm1lZGlhdGUCFC5NT4yLWYjkqCPph6nZEn3ESGEtMAsGCWCGSAFlAwQCAaCCASYwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDEwMzExMzMxNDRaMC8GCSqGSIb3DQEJBDEiBCDFl7LJGj2Ly6mrN3rzvyj+h0hRUK4/mvHEgTXCpy9K3DCBuAYLKoZIhvcNAQkQAi8xgagwgaUwgaIwgZ8wDQYJYIZIAWUDBAIDBQAEQPrmk1cW2IBeZnRAWYlt35rZRL+e43TUQ6C2cqGOEGYZGS5we3Yz46pM7dijeAZkn1JVS0rOf6W1TsFRrwdApP0wTDA0pDIwMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0ZQIULk1PjItZiOSoI+mHqdkSfcRIYS0wCgYIKoZIzj0EAwIERzBFAiEAlNj866pok1LTFRuzxIfu+h/KJ/kHmKnUfNF4PL2cdgsCIEKRudmJVaifKu72aNwiMB+P1YicRzgl/QGQPNAYDxUe"
         }
       ]
     }

test/unit/verify/test_verifier.py

@@ -285,7 +285,6 @@ def verify_function(*args):
                     null_policy,
                 )
 
-        assert len(caplog.records) == 2
         assert caplog.records[0].message == "Unable to verify Timestamp with CA."
 
     def test_verifier_no_authorities(self, asset, null_policy):
@@ -299,8 +298,10 @@ def test_verifier_no_authorities(self, asset, null_policy):
                 null_policy,
             )
 
-    def test_verifier_not_enough_timestamp(self, verifier, asset, null_policy):
-        verifier.verify_timestamp_threshold = 2
+    def test_verifier_not_enough_timestamp(
+        self, verifier, asset, null_policy, monkeypatch
+    ):
+        monkeypatch.setattr("sigstore.verify.verifier.VERIFY_TIMESTAMP_THRESHOLD", 2)
         with pytest.raises(VerificationError, match="Not enough Timestamp"):
             verifier.verify_artifact(
                 asset("tsa/bundle.txt").read_bytes(),