Skip to content

Improve case of possible wrong instance on verify#1510

Merged
woodruffw merged 4 commits intosigstore:mainfrom
jku:improve-case-of-wrong-instance-on-verify
Aug 18, 2025
Merged

Improve case of possible wrong instance on verify#1510
woodruffw merged 4 commits intosigstore:mainfrom
jku:improve-case-of-wrong-instance-on-verify

Conversation

@jku
Copy link
Member

@jku jku commented Aug 15, 2025
edited
Loading

Fixes #1487

  • moves rfc3161-client exception details to debug log level
  • Offers a hint if TSA cert chain verification fails: this is a sign that possibly the bundle uses a different sigstore instance than the verification expects
$ sigstore verify identity ...
[16:09:18] WARNING  A certificate chain was not valid, are you using the correct Sigstore   _cli.py:1095
                    instance?
           ERROR    FAIL: sign-main-rekorv1/README.md                                       _cli.py:1098
$

jku added 3 commits August 15, 2025 16:17
@jku
verify: Handle case of wrong Sigstore instance better
9cc1490 
This is not foolproof but it does work when e.g. a bundle is
signed with "--staging" and verified without it:

$ sigstore verify identity ...
[16:09:18] WARNING  A certificate chain was not valid, are you using the correct Sigstore   _cli.py:1095
                    instance?
           ERROR    FAIL: sign-main-rekorv1/README.md                                       _cli.py:1098
$

In practice if TSA cert validation fails we take that as a hint that this
might be a case of wrong instance (because that's the first use case of
trusted root certs).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
tests: Modify expected output to match current output
bd293ef 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
cli: Remember to exit(1) when failing
c7bd1e2 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Member Author

jku commented Aug 16, 2025

Maybe I went a little too far in removing details from the error putput. Could output one line of error details and then a separate hint

@jku
Copy link
Member Author

jku commented Aug 18, 2025

Ok, I changed the output so there is a little more. This is what it looks like now if I try to verify a staging bundle without specifying --staging:

[14:35:50] WARNING  A certificate chain was not valid, are you using the correct Sigstore instance?       _cli.py:1096
           ERROR    FAIL: sign-main-rekorv1/README.md                                                     _cli.py:1100
           ERROR    failed to build timestamp certificate chain: unable to get local issuer certificate   errors.py:42
                    For detailed error information, run sigstore with the `--verbose` flag.

--verbose will give you both the rfc3161 trace and and the sigstore-python trace

@jku
cli: Tweak the error output
c2a3624 
Make the output more useful when TSA cert cannot be verified

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the improve-case-of-wrong-instance-on-verify branch from ac66c62 to c2a3624 Compare August 18, 2025 11:42
woodruffw
woodruffw approved these changes Aug 18, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me, thanks @jku!

@woodruffw woodruffw merged commit e00d489 into sigstore:main Aug 18, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

accidentally verifying with wrong sigstore instance looks confusing

2 participants

@jku @woodruffw