Skip to content

Include SCT extension in signature data#1659

Merged
woodruffw merged 1 commit intosigstore:mainfrom
cmurphy:sct-ext
Jan 16, 2026
Merged

Include SCT extension in signature data#1659
woodruffw merged 1 commit intosigstore:mainfrom
cmurphy:sct-ext

Conversation

@cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Jan 16, 2026

If an SCT includes an extension, its signature is signed over the entire data structure including the extension.

Followup to #1657
Relates to sigstore/rekor-tiles#73
Fixes conformance failure in https://github.com/sigstore/sigstore-conformance/actions/runs/21049488308/job/60532184810?pr=319

Summary

Release Note

Documentation

@cmurphy
Include SCT extension in signature data
38b97ee 
If an SCT includes an extension, its signature is signed over the entire
data structure including the extension.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@cmurphy cmurphy mentioned this pull request Jan 16, 2026
Merged
@woodruffw
Copy link
Member

woodruffw commented Jan 16, 2026

/gcbrun

woodruffw
woodruffw approved these changes Jan 16, 2026
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @cmurphy! The conformance test is good enough for merge here IMO, but it'd be great to also have a unit test in tree for this (I think we have other tests for SCTs that lack these extension bytes.)

@woodruffw woodruffw merged commit e6cc009 into sigstore:main Jan 16, 2026
41 checks passed
This was referenced Jan 16, 2026
Closed
Closed
jku pushed a commit to jku/sigstore-python that referenced this pull request Jan 26, 2026
@cmurphy @jku
Include SCT extension in signature data (sigstore#1659)
c7c80de
jku added a commit that referenced this pull request Jan 26, 2026
@jku @cmurphy
Backport fixes to 3.6.x (#1671)
2cb4a17 
* Remove suspicion of extension bytes (#1657)

* Include SCT extension in signature data (#1659)

* Add state validation to OIDC flow to prevent CSRF

The OIDC flow in did not verify the `state` parameter returned by the
identity provider against the state sent in the request. This could
allow tricking the user into using an authorization code obtained by
the attacker.

All of the response parsing should arguably be moved to
_OAuthRedirectServer (to hide the details from `sigstore.oidc`) but
I wanted to keep this fix minimal.

Test generated by AI.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* Update version to 3.6.7, update CHANGELOG

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

---------

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Co-authored-by: Colleen Murphy <cmurphy@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmurphy @woodruffw