Skip to content

sigstore: reject in-toto statements with unknown top-level fields (SPEC §5.4)#106

Merged
sachaservan merged 1 commit into
mainfrom
fix/sigstore-reject-intoto-extra-fields
Jul 4, 2026
Merged

sigstore: reject in-toto statements with unknown top-level fields (SPEC §5.4)#106
sachaservan merged 1 commit into
mainfrom
fix/sigstore-reject-intoto-extra-fields

Conversation

@lsd-cat

@lsd-cat lsd-cat commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

sigstore-python tolerates unknown top-level fields in the in-toto statement. Per SPEC §5.4 the statement MUST contain only the recognized fields (_type, subject, predicateType, predicate); reject_unknown_intoto_fields rejects any unknown top-level field after the statement is parsed. Tinfoil produces canonical statements, so an unknown field is non-canonical; this matches tinfoil-go/-rs/-js.


Summary by cubic

Enforce SPEC §5.4 by rejecting in-toto statements that include unknown top-level fields during DSSE verification. Aligns validation with tinfoil-go/tinfoil-rs/tinfoil-js and prevents accepting non-canonical statements.

  • Bug Fixes
    • Added reject_unknown_intoto_fields to allow only _type, subject, predicateType, predicate.
    • Called during _verify_dsse_bundle; raises VerificationError listing the extra fields.

Written for commit 78449e2. Summary will update on new commits.

Review in cubic

…EC §5.4)

sigstore-python tolerates unknown top-level fields in the in-toto statement.
Per SPEC §5.4 the statement MUST contain only the recognized fields (_type,
subject, predicateType, predicate); reject_unknown_intoto_fields rejects any
unknown top-level field after the statement is parsed. Tinfoil produces
canonical statements, so an unknown field is non-canonical; this matches
tinfoil-go/-rs/-js.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@sachaservan sachaservan merged commit a9606b1 into main Jul 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants