Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verification crashes for v0.1 bundles missing checkpoints #259

Closed
woodruffw opened this issue Aug 8, 2024 · 2 comments · Fixed by #260
Closed

Verification crashes for v0.1 bundles missing checkpoints #259

woodruffw opened this issue Aug 8, 2024 · 2 comments · Fixed by #260
Assignees
Labels
bug Something isn't working

Comments

@woodruffw
Copy link
Member

Description

I observed this behavior while trying to cross-check sigstore-python's handling of v0.1 bundles with other clients.

Reproduction steps:

wget https://www.python.org/ftp/python/3.12.5/Python-3.12.5.tgz
wget https://www.python.org/ftp/python/3.12.5/Python-3.12.5.tgz.sigstore
sigstore-go -artifact Python-3.12.5.tgz -expectedSAN 'thomas@python.org' Python-3.12.5.tgz.sigstore 

Running that fails with:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x30 pc=0x10293ec40]

goroutine 1 [running]:
github.com/sigstore/sigstore-go/pkg/tlog.ParseEntry(0x140003c8f50)
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/pkg/tlog/entry.go:132 +0x500
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).TlogEntries(0x140003d4860)
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/pkg/bundle/bundle.go:252 +0xb0
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).validate(0x140003d4860)
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/pkg/bundle/bundle.go:84 +0x100
github.com/sigstore/sigstore-go/pkg/bundle.(*ProtobufBundle).UnmarshalJSON(0x140003d4860, {0x14000389500, 0x14ad, 0x14ae})
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/pkg/bundle/bundle.go:189 +0xa4
github.com/sigstore/sigstore-go/pkg/bundle.LoadJSONFromPath({0x16d997928, 0x33})
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/pkg/bundle/bundle.go:170 +0x8c
main.run()
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/cmd/sigstore-go/main.go:94 +0x58
main.main()
	/Users/william/go/pkg/mod/github.com/sigstore/sigstore-go@v0.5.1/cmd/sigstore-go/main.go:87 +0x1c

From a quick triage, that looks like it fails on this swag.String ctor:

Checkpoint: swag.String(protoEntry.InclusionProof.Checkpoint.Envelope),

...which I suspect fails because InclusionProof.Checkpoint is completely missing from the bundle, which gets silently ignored during unpacking because protobuf is very malleable about missing items.

Version

I tested this with go install github.com/sigstore/sigstore-go/cmd/sigstore-go@latest, which I believe should be installing the latest tag (v0.5.1).

Additional context

This is arguably a knock-on bug: the Sigstore bundle in question was generated by sigstore-python in the 1.x series, which didn't include the checkpoint field in its bundles (since it wasn't clear from the v0.1 bundle spec that it was required).

I'm tracking the associated behavior in sigstore-python here: sigstore/sigstore-python#1088

@woodruffw woodruffw added the bug Something isn't working label Aug 8, 2024
@woodruffw
Copy link
Member Author

Forgot to mention: I think the expected behavior here is still a verification failure, but one that happens in a controlled manner rather than via a panic 🙂

@steiza
Copy link
Member

steiza commented Aug 8, 2024

This is a great example of one of the corner-cases we should be addressing in #63!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants