You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When verifying disjoint materials (.crt+.sig) with a "bare" Sigstore bundle in the same directory (.sigstore) a warning is displayed about bare bundles being deprecated. This occurs even if the bundle is not specified during verification (this seems like strange behavior?)
$ touch a
$ python -m sigstore sign --signature a.sig --certificate a.crt --bundle a.sigstore a
...
Transparency log entry created at index: 141486578
Signature written to a.sig
Certificate written to a.crt
Sigstore bundle written to a.sigstore
$ python -m sigstore verify identity --cert-identity sethmichaellarson@gmail.com --cert-oidc-issuer https://accounts.google.com --certificate a.crt --signature a.sig a
[16:43:36] WARNING a: a.sigstore should be named a.sigstore.json. Support for discovering 'bare' .sigstore inputs will be deprecated in a future release. _cli.py:925
OK: a
$ rm a.sigstore.json
$ python -m sigstore verify identity --cert-identity sethmichaellarson@gmail.com --cert-oidc-issuer https://accounts.google.com --certificate a.crt --signature a.sig a
OK: a
Expected behavior is for warning to not be considered if certificate/signature disjoint materials are specified. As far as I can tell from my testing, the bundle is not used during verification at all despite the warning.
Thanks for the report @sethmlarson! Yeah, this looks like a bug -- we should only warn about the "bare" bundle when actually using it, not if it just happens to be present. I'll look into a fix.
Description
When verifying disjoint materials (
.crt
+.sig
) with a "bare" Sigstore bundle in the same directory (.sigstore
) a warning is displayed about bare bundles being deprecated. This occurs even if the bundle is not specified during verification (this seems like strange behavior?)Rename the file: no warning
Remove the file: no warning
Expected behavior is for warning to not be considered if certificate/signature disjoint materials are specified. As far as I can tell from my testing, the bundle is not used during verification at all despite the warning.
Version
The text was updated successfully, but these errors were encountered: