TSA request message digest defaults to sha256

[Client support for Rekor V2: sigstore-python](https://github.com/sigstore/rekor-tiles/issues/289)


**Description**



The request to the Timestamp Authority defaults to sha512,

- https://github.com/sigstore/sigstore-python/blob/2199d9b5d4c6aa1c6f5c6b63a18299fdedef27b0/sigstore/_internal/timestamp.py#L95-L97
- https://github.com/trailofbits/rfc3161-client/blob/c331b83648355f57d529c1a7d3f4616637a8aa0f/src/rfc3161_client/base.py#L80-L81

but then when verifying, assumes sha256.

- https://github.com/sigstore/sigstore-python/blob/2199d9b5d4c6aa1c6f5c6b63a18299fdedef27b0/sigstore/verify/verifier.py#L188-L190

We should either explicitly request sha256, or implement the example logic to determine the what the correct message digest was. Or, wait for a fix in rfc3163-client's `verify()` that accepts a message, instead of a digest.

 - https://github.com/trailofbits/rfc3161-client/blob/c331b83648355f57d529c1a7d3f4616637a8aa0f/README.md?plain=1#L93-L97
 - https://github.com/trailofbits/rfc3161-client/issues/130

**Version**



sigstore-python v3.6.2

Using TSA timestamp.sigstage.dev

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TSA request message digest defaults to sha256 #1372

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

	timestamp_request = (
	TimestampRequestBuilder().data(signature).nonce(nonce=True).build()
	)

	# The Signer sends a hash of the signature as the messageImprint in a TimeStampReq
	# to the Timestamping Service
	signature_hash = sha256_digest(bundle.signature).digest

TSA request message digest defaults to sha256 #1372

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions