Compare the Rekor entry body to the artifact #177
Labels
enhancement
New feature or request
Comments
Was there any more discussion on whether this is worth moving forward with? I don't think cosign does this, from what I've been able to tell. |
|
IIRC yea, Cosign does not check this as well, it only compares signatures - https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1164-L1188 Signatures are malleable, for example an ECDSA signature can be represented in two ways, so a signature should not be considered unique. In this example though, that doesn't present an issue from what I can tell, if anything malleability would cause a comparison failure. @woodruffw Did you have any thoughts here? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Tracking bug for https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go#L174
This is not absolutely necessary because we do already compare against the signature which should effectively bind the entry to the artifact.
The text was updated successfully, but these errors were encountered: