Skip to content

Improve case of possible wrong instance on verify #1510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 18, 2025
Merged

Improve case of possible wrong instance on verify #1510

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9cc1490
verify: Handle case of wrong Sigstore instance better
jku Aug 15, 2025
bd293ef
tests: Modify expected output to match current output
jku Aug 15, 2025
c7bd1e2
cli: Remember to exit(1) when failing
jku Aug 15, 2025
c2a3624
cli: Tweak the error output
jku Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion sigstore/_cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
SLSAPredicateV0_2,
SLSAPredicateV1_0,
)
from sigstore.errors import Error, VerificationError
from sigstore.errors import CertValidationError, Error, VerificationError
from sigstore.hashes import Hashed
from sigstore.models import Bundle, InvalidBundle
from sigstore.oidc import (
Expand Down Expand Up @@ -1092,6 +1092,11 @@ def _verify_identity(args: argparse.Namespace) -> None:
if statement is not None:
print(statement._contents.decode())
except Error as exc:
if isinstance(exc, CertValidationError):
_logger.warning(
"A certificate chain was not valid, are you using the correct Sigstore instance?"
)

_logger.error(f"FAIL: {file_or_digest}")
exc.log_and_exit(_logger, args.verbose >= 1)

Expand Down Expand Up @@ -1140,6 +1145,11 @@ def _verify_github(args: argparse.Namespace) -> None:
if statement is not None:
print(statement._contents)
except Error as exc:
if isinstance(exc, CertValidationError):
_logger.warning(
"A certificate chain was not valid, are you using the correct Sigstore instance?"
)

_logger.error(f"FAIL: {file_or_digest}")
exc.log_and_exit(_logger, args.verbose >= 1)

Expand Down
8 changes: 8 additions & 0 deletions sigstore/errors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,11 @@ class VerificationError(Error):
"""
Raised whenever any phase or subcomponent of Sigstore verification fails.
"""


class CertValidationError(VerificationError):
"""
Raised when a TSA certificate chain fails to validate during Sigstore verification.

This is used by CLI to hint that an incorrect Sigstore instance may have been used
"""
11 changes: 6 additions & 5 deletions sigstore/verify/verifier.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
from sigstore._internal.timestamp import TimestampSource, TimestampVerificationResult
from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
from sigstore._utils import base64_encode_pem_cert, sha256_digest
from sigstore.errors import VerificationError
from sigstore.errors import CertValidationError, VerificationError
from sigstore.hashes import Hashed
from sigstore.models import Bundle
from sigstore.verify.policy import VerificationPolicy
Expand Down Expand Up @@ -144,9 +144,8 @@ def _verify_signed_timestamp(
verifier = builder.build()
try:
verifier.verify_message(timestamp_response, message)
except Rfc3161VerificationError as e:
_logger.debug("Unable to verify Timestamp with CA.")
_logger.exception(e)
except Rfc3161VerificationError:
_logger.debug("Unable to verify Timestamp with CA.", exc_info=True)
continue

if (
Expand Down Expand Up @@ -273,7 +272,9 @@ def _verify_chain_at_time(
# and chain should contain only CA certificates
return store_ctx.get_verified_chain()[1:]
except X509StoreContextError as e:
raise VerificationError(f"failed to build chain: {e}")
raise CertValidationError(
f"failed to build timestamp certificate chain: {e}"
)

def _verify_common_signing_cert(
self, bundle: Bundle, policy: VerificationPolicy
Expand Down
5 changes: 0 additions & 5 deletions test/unit/verify/test_verifier.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,11 +385,6 @@ def test_late_timestamp(self, caplog, verifier, asset, null_policy, monkeypatch)
null_policy,
)

assert (
"Error while verifying certificates: Unable to verify pkcs7 signature"
in caplog.records[0].message
)

def test_verifier_not_enough_timestamp(
self, verifier, asset, null_policy, monkeypatch
):
Expand Down
Loading