It looks like we never check that messageSignature.messageDigest.Digest in a signature bundle actually matches the digest of the artifact we get
- this does not seem like a serious security issue since we do verify that the signature is over the digest of the actual artifact
- but it does look very suspicious that I can modify
messageSignature.messageDigest.Digest and verify still succeeds
So there is no case where an incorrect artifact would get verified, but we do have a false positive verify with a malformed bundle where the documented digest is incorrect (but the signature is still over the actual digest). This could be an issue in a special case where a verification process runs sigstore-python and then uses the digest from the bundle for further processing.
This is from sigstore/sigstore-conformance#312
It looks like we never check that
messageSignature.messageDigest.Digestin a signature bundle actually matches the digest of the artifact we getmessageSignature.messageDigest.Digestand verify still succeedsSo there is no case where an incorrect artifact would get verified, but we do have a false positive verify with a malformed bundle where the documented digest is incorrect (but the signature is still over the actual digest). This could be an issue in a special case where a verification process runs sigstore-python and then uses the digest from the bundle for further processing.
This is from sigstore/sigstore-conformance#312