tests: Add test that verifies using current issuer certificates
jku opened this issue · 0 comments
jku commented
During #910 development the test suite was passing but a simply running this failed with InvalidSCTKeyError:
sigstore sign README.md
sigstore verify identity --cert-identity $ID --cert-oidc-issuer $ISSUER README.md
The reasons for this seem to be:
- SCT verification code made assumptions about the order of certificates in the issuer "chain"
- At some point in time "chain" actually was in that assumed order
- all of the current test data was generated during that time
- current "issuer chain" looks different
So the problem is that right now we have no test that actually asserts that our SCT verification works on current sigstore trust root. We should add
- A new asset
test/unit/assets/new_bundle.txt
(like the other txts, just a text file) - A new good signature bundle in
test/unit/assets/new_bundle.txt.sigstore
(the bundle is the result of runningsigstore sign new_bundle.txt
- a test that asserts that the new bundle verifies correctly (copying
test_verifier_offline()
probably works fine)
Note that if you create this new bundle, it will contain the email address that you used to authenticate with.