Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: require an inclusion promise when log integration time is used #1247

Merged
merged 5 commits into from
Dec 10, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Dec 10, 2024

See sigstore/protobuf-specs#442: this strengthens the inclusion promise requirement to make it mandatory when the log integration time is used as the common verification time.

This should be a non-breaking change in principle, although in practice there might be some real-world bundles that have the inclusion promises stripped from them (similar to what we saw with bundles that had inclusion proofs but no signed checkpoints). The conformance test should determine this, since it includes all CPython bundles.

Edit: conformance passes, indicating that we're OK in terms of existing bundles having inclusion promises.

CC @haydentherapper

Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Dec 10, 2024
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
sigstore/models.py Show resolved Hide resolved
@woodruffw woodruffw changed the title require an inclusion promise when log integration time is used fix: require an inclusion promise when log integration time is used Dec 10, 2024
@woodruffw woodruffw merged commit 300b502 into main Dec 10, 2024
25 checks passed
@woodruffw woodruffw deleted the ww/require-signed-time branch December 10, 2024 22:03
@woodruffw woodruffw mentioned this pull request Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants