Post-mortem for regression in 3.5.0 #1194

woodruffw · 2024-10-25T15:01:26Z

Release 3.5.0 had a minor regression which we only noticed after release: handling of "legacy" sigstore bundles (i.e. .sigstore instead of .sigstore.json) was broken by an overly broad check on .crt/.sig inputs.

No other verification flows were affected, including any flows where a user passes the verification materials explicitly rather than discovering them via file suffixes.

Resolution

We released 3.5.1 with a fix.

Improvement items

We should have an integration test that ensures we don't regress on this CLI behavior again.

The text was updated successfully, but these errors were encountered:

woodruffw · 2024-10-28T13:52:36Z

CC @facutuesca could you try and extend our current integration tests to cover this? Should be as simple as ensuring that sigstore verify ... foo.txt continues to work when foo.txt.sigstore (and only .sigstore, not .sigstore.json) is present.

woodruffw added bug Something isn't working component:cli CLI components labels Oct 28, 2024

facutuesca mentioned this issue Oct 28, 2024

Fix warning for CLI verification of legacy bundles #1198

Merged

woodruffw closed this as completed in #1198 Oct 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Post-mortem for regression in 3.5.0 #1194

Post-mortem for regression in 3.5.0 #1194

woodruffw commented Oct 25, 2024

woodruffw commented Oct 28, 2024

Post-mortem for regression in 3.5.0 #1194

Post-mortem for regression in 3.5.0 #1194

Comments

woodruffw commented Oct 25, 2024

Resolution

Improvement items

woodruffw commented Oct 28, 2024