From 2d7481f7278a912a172fa40ecc47fcc4a901428d Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Fri, 8 Dec 2023 16:55:19 -0800 Subject: [PATCH] add dsse bundle tests Signed-off-by: Brian DeHamer --- .github/workflows/conformance.yml | 2 +- test/assets/d.stmt.cert-expired.sigstore | 1 + test/assets/d.stmt.good.sigstore | 1 + test/assets/d.stmt.json | 47 +++++++++++ .../assets/d.stmt.no-inclusion-proof.sigstore | 1 + test/assets/d.stmt.tlog-body-error.sigstore | 1 + .../d.stmt.tlog-timestamp-error.sigstore | 1 + .../d.stmt.tsa-timestamp-error.sigstore | 1 + test/assets/trusted_root.d.json | 1 + test/test_bundle.py | 83 +++++++++++++++++++ 10 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 test/assets/d.stmt.cert-expired.sigstore create mode 100644 test/assets/d.stmt.good.sigstore create mode 100644 test/assets/d.stmt.json create mode 100644 test/assets/d.stmt.no-inclusion-proof.sigstore create mode 100644 test/assets/d.stmt.tlog-body-error.sigstore create mode 100644 test/assets/d.stmt.tlog-timestamp-error.sigstore create mode 100644 test/assets/d.stmt.tsa-timestamp-error.sigstore create mode 100644 test/assets/trusted_root.d.json diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 9cb9838..6214fb4 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -25,4 +25,4 @@ jobs: id: sigstore-conformance with: entrypoint: ${{ github.workspace }}/sigstore-python-conformance - xfail: "test_verify_with_trust_root" + xfail: "test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" diff --git a/test/assets/d.stmt.cert-expired.sigstore b/test/assets/d.stmt.cert-expired.sigstore new file mode 100644 index 0000000..3167cb4 --- /dev/null +++ b/test/assets/d.stmt.cert-expired.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+zCCAqCgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0zMDAxMDEwMDAwMDBaFw0zMDAxMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhI6OaXxvRqqPVhwHwTD1n56ngJ4qhuuI+Q8qH6e1K90kDyIwZj3kWHkwUxBddaHkoWZP6bYkUrqRoRE2p4iBYo4IB2zCCAdcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBSffLUNo0oDhFqCkeSP5DqqnstPsjAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYoGCisGAQQB1nkCBAIEfAR6AHgAdgD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBHMEUCIHQFz28n3pVooYV459x0HzuTBHKrL1hKm2mmRv4hs3nbAiEAtN/tQGeROcAf9YHkHqDDe1l183GhkQ++i0lMRedAXfMwCgYIKoZIzj0EAwMDSQAwRgIhAIHhd2TfNlGKQ3/vlybt4+P+9mT7ohwFluEz4cps28fwAiEAv2tR3jwF4i4IB9LTmDNVn2l1xss6mGWYiZPw36eUjWc="}]},"tlogEntries":[{"logIndex":"5252969","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675209600","inclusionPromise":{"signedEntryTimestamp":"MEQCIFpMwnPgnsW/QRryVJpasBFXuU6KkDyCohxyW9vn1md2AiBOHwaxdSlis0jUI+ZXkrt9fPbTCBxym+cPj/pM9HkSDw=="},"inclusionProof":{"logIndex":"0","rootHash":"h7LdGPr3Dc+bDUmh1zyrVBlVOK525Cv412nUseBLAHQ=","treeSize":"1","hashes":[],"checkpoint":{"envelope":"localhost:8000 - 215824313067845\n1\nh7LdGPr3Dc+bDUmh1zyrVBlVOK525Cv412nUseBLAHQ=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBFAiBEQ+m19l5dwHrvollpqYFzomUTeAzzG2Hpu0D9TRWzeQIhAKMHccf4AQDHq0crkVZe1NAkfKXQbRYMvgrQt2gKY1k1\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVdOSGRHNVBiVFYzWWxNNWVtRlhaSHBrUnpsNVdsVkJlVXhxUlhWTlEwbHpRMmxCWjBsRFFXZEpRMHByWVZka2JHTXpVV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzVPYjFsVVZYaE5hVWsyU1VOSk5VMUhXWGxOYWs1dFQxUnJlVnBVVW1wUFJHaHJXa1JCTWs5SFRtdE5iVVV4V20xTk1VNHlXVFZhUkVwcFRYcEJNMDlVWjNwT1JFNXJXa1JhYkUxNmFHMU5hbXhxVFdwUmQxcFVRVEJaYlVWM1QxUkNiRnBxWjNwTlYxazBUa1JSTlUxRVp6Qk9NazB3V2xSbmVWbHFhM2xOZWtwcVRucG9iRTlIUlhsT1ZHY3dUbXBPYVUxWFZURk9WMDEzV21wak1FNXFiRzFPZWsxM1RXcFpNVTFFUVRSYWJVVXlUbXBOZWxwcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUV2xNUVc5blNVTkJaMGxEUVdkSlEwRm5TVzVDYUdSSFoybFBhVUZwVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJZMjFXYzFwWFJucGFVelUxWWxkM2FVTnBRV2RKUTBGblNVTkJaMlpSYjJkSlEwRm5TVU5DT1V4QmIyZEpRMEZuU1VOQmFXRlhOVEJhV0VwMVdWZDRVVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2RKUTBwdVlWaFNiMlJYU1dsUGFVSTNRMmxCWjBsRFFXZEpRMEZuU1VOQmFWcFlXbXhpYmxKbVltMUdkRnBUU1RaSlEwcDNaRmhPYjBscGQwdEpRMEZuU1VOQlowbERRV2RKUTBwNVdsaENkbU15YkRCaU0wbzFXREpzYTBscWIyZEphbEUxVGxSVk0wNUVWVEZPVTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWFprTWpWc1kydzVjRnBEU1RaSlEwa3pUVlJCTlU1cVRURk5lVWxMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlNEQnpRMmxCWjBsRFFXZEpRMHA1V2xoT2RtSklXbXhhUlZKc1kwZFdkVnBIVm5WWk1teHNZM2xKTmtsR2MwdEpRMEZuU1VOQlowbERRamREYVVGblNVTkJaMGxEUVdkSlEwRnBaRmhLY0VscWIyZEpiV1J3WkVOMGIyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1NeWJHNWpNMUoyWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VGtGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVbHBkMHRKUTBGblNVTkJaMGxEUVdkSlEwcHJZVmRrYkdNelVXbFBhVUkzUTJsQlowbERRV2RKUTBGblNVTkJaMGxEU201aFdGSkVZakl4ZEdGWVVXbFBhVUZwVFdwYWEwMVVXVEZOVkUxNlQwUmFiVnB0Um1oT2VtdDNXV3BHYWsxNlNtMVBWRWt6VGxSUk1GcHFSWHBOYWtwc1RrUkZOVTVEU1V0SlEwRm5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlJqQkxTVU5CWjBsSU1ITkRhVUZuU1VOQmFXTnVWblZTUjFZd1dWZHNjMk41U1RaSlNITkxTVU5CWjBsRFFXZEpiVW94WVZkNGExcFlTV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzFzYTBscWIyZEpiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bG9XVE5TY0dJeU5YcE1NMG94WW0wMWJHTnBPVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJTV2R2WjBsRFFXZEpRMEk1VEVGdlowbERRV2RKUTBGcFlsZFdNRmxYVW1oa1IwVnBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHRiSFZrYlRscVdWaFNjR0l5TlVwYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBaZDAxVVVUQlBSR2N5VG1wWmRsbFlVakJhVnpGM1pFaE5kazFUU1V0SlEwRm5TVU5CWjJaUmIyZEpRMEZuWmxGdlowbElNRXRtVVc4OSIsInBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU1yZWtORFFYRkRaMEYzU1VKQlowbEZSVkpuWjBKRVFVdENaMmR4YUd0cVQxQlJVVVJCZWtGeVRWSkZkMFIzV1VSV1VWRkVSWGRvZW1GWFpIcGtSemw1V2xSRlYwMUNVVWRCTVZWRlEyaE5UbU15Ykc1ak0xSjJZMjFWZFdKWE9XcGhla0ZsUm5jd2VrMUVRWGhOUkVWM1RVUkJkMDFFUW1GR2R6QjZUVVJCZUUxRVJYZE5SRVYzVFVSQ1lVMUJRWGRYVkVGVVFtZGpjV2hyYWs5UVVVbENRbWRuY1docmFrOVFVVTFDUW5kT1EwRkJVbWhKTms5aFdIaDJVbkZ4VUZab2QwaDNWRVF4YmpVMmJtZEtOSEZvZFhWSksxRTRjVWcyWlRGTE9UQnJSSGxKZDFwcU0ydFhTR3QzVlhoQ1pHUmhTR3R2VjFwUU5tSlphMVZ5Y1ZKdlVrVXljRFJwUWxsdk5FbENNbnBEUTBGa1kzZEVaMWxFVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOU1Vkc1FtZE9Wa2hTUlVKQlpqaEZaMXB2ZDJkYVpVZG5XbEp2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYwV1RJNWRWcHRPWGxpVjBaMVdUSlZkbHBZYURCamJWWjBXbGQ0TlV4WFVtaGliV1JzWTIwNU1XTjVNWGRrVjBwellWZE5kR0l5Ykd0WmVURnBXbGRHYW1JeU5IWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVdHZ3dZMjFXZEZwWGVEVk1WMUpvWW0xa2JHTnRPVEZqZVRGMllWZFNha3hYU214WlYwNTJZbWsxTldKWGVFRmpiVlp0WTNrNWIxcFhSbXRqZVRsMFdWZHNkVTFDTUVkQk1WVmtSR2RSVjBKQ1UyWm1URlZPYnpCdlJHaEdjVU5yWlZOUU5VUnhjVzV6ZEZCemFrRm1RbWRPVmtoVFRVVkhSRUZYWjBKUkwwWkdlR3MzUmxWNGRDOXZSVGhzUkZwRlJqQnpOMnRoYzNWRVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSlFrTXdUVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QyZFpiMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaa0ZTTmtGSVowRmtaMFF6U25OeGFsRlNaVFpyVjFaRmNucGpNRFpUUkU1VVJXdDFPVEY2YlVsdkwyTkNUemN2VEhvNGJqTlJRVUZCV1ZsTFVtVjNRVUZCUVVWQmQwSklUVVZWUTBsSVVVWjZNamh1TTNCV2IyOVpWalExT1hnd1NIcDFWRUpJUzNKTU1XaExiVEp0YlZKMk5HaHpNMjVpUVdsRlFYUk9MM1JSUjJWU1QyTkJaamxaU0d0SWNVUkVaVEZzTVRnelIyaHJVU3NyYVRCc1RWSmxaRUZZWmsxM1EyZFpTVXR2V2tsNmFqQkZRWGROUkZOUlFYZFNaMGxvUVVsSWFHUXlWR1pPYkVkTFVUTXZkbXg1WW5RMEsxQXJPVzFVTjI5b2QwWnNkVVY2TkdOd2N6STRabmRCYVVWQmRqSjBVak5xZDBZMGFUUkpRamxNVkcxRVRsWnVNbXd4ZUhOek5tMUhWMWxwV2xCM016WmxWV3BYWXowS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFFvPSIsInNpZyI6IlRVVlpRMGxSUTFocVJGVnJhWGM0WTNvMlprd3lSMHBxYVZkUkx6TllPSGRoYlRoTVFuRjNSa1JhTDBKTmFUVjBSV2RKYUVGS2IwbHpkblp4TjJKelprbGxRME00UkRGYVVIY3lVSGRVYURadlRFRktTbFZGTVVwd1dGWXZaSFpGIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFmYzAwYzk2MzFkNGRhZjk5NjdlN2UwYTg2MDk3YWQ1YTJjMzEzMGE0MGI5ZTZmNzM1NzkzYjI5ZGQyNDczMDEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlYjlmN2IyNDg2NDE0NWNkM2IyZDE5OWYyZDBmOTQ4MDFiNDU2NjBjYjg2NmZkMmU5M2YyYTExZmEwYzA2ZWMwIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBbzADAgEAMIIBZgYJKoZIhvcNAQcCoIIBVzCCAVMCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQgf5jnkdNDGr7t5bocrC+Yw22FQMEYSjUAoQHbKMvDlWgCAQEYDzIwMjMwMjAxMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZYwgZMCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERjBEAiBfaEXzm0l/4ntOb0Pb/wKk8d0PfsOjbUoznCqKbmIR8AIgdeWL9g/3MynEdOpPwBozoYct9abess0426JBfH48fR8="}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQCXjDUkiw8cz6fL2GJjiWQ/3X8wam8LBqwFDZ/BMi5tEgIhAJoIsvvq7bsfIeCC8D1ZPw2PwTh6oLAJJUE1JpXV/dvE","keyid":""}]}} diff --git a/test/assets/d.stmt.good.sigstore b/test/assets/d.stmt.good.sigstore new file mode 100644 index 0000000..fc6a3f5 --- /dev/null +++ b/test/assets/d.stmt.good.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+DCCAp+gAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ5FmjVF/l/AGhu1SP/IoEmKLgQuD1yGSPALeIws9kgaG/Z+++IrAYgSIYc9RVOzzSuZm00my1vQMa71o+lO+jOo4IB2jCCAdYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBR8tkJOLY0kmrHufD2HsYlJ6d83QTAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYkGCisGAQQB1nkCBAIEewR5AHcAdQD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBGMEQCIDtVT3EK6wIlVgZ2ys5tUpTQmVNJu2VxIZ7sQQV5AOMcAiA6l78ivFFYX6B6JSyAWyEX7lO3nUn0Z5IFek7Qcqn3UTAKBggqhkjOPQQDAwNHADBEAiBPctX0JJm5KTFZF1lFEwuxbemAOuN20wJs4ZyHqN1tlwIgU+3B9FiuAalSGk/n9/ITezECpZqK5BX2KGl5bnUsuiA="}]},"tlogEntries":[{"logIndex":"5734592","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675209600","inclusionPromise":{"signedEntryTimestamp":"MEQCIEY2/WbuNZJoMI+nYGtrAPbUwINqoIomhg5Z4fBpjk1+AiAtl1EQH/VW6WxkqGyFpxNYUMVXBQl00DbkrroqeszSHw=="},"inclusionProof":{"logIndex":"0","rootHash":"3m1D+/eJvVVmvFkh/Lsd5zA4eeCN3r2BS4/0nGAz7zQ=","treeSize":"1","hashes":[],"checkpoint":{"envelope":"localhost:8000 - 264650626975152\n1\n3m1D+/eJvVVmvFkh/Lsd5zA4eeCN3r2BS4/0nGAz7zQ=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBFAiA2xT/HbtqbB+6j8i4AZO8hE64v2UeJbPaRuejyLQJgNgIhAPRMLlkWKdqMz3jW1NY8OsVnYTpBMvGTO5HrippAPXUN\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVdOSGRHNVBiVFYzWWxNNWVtRlhaSHBrUnpsNVdsVkJlVXhxUlhWTlEwbHpRMmxCWjBsRFFXZEpRMHByWVZka2JHTXpVV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzVPYjFsVVZYaE5hVWsyU1VOSk5VMUhXWGxOYWs1dFQxUnJlVnBVVW1wUFJHaHJXa1JCTWs5SFRtdE5iVVV4V20xTk1VNHlXVFZhUkVwcFRYcEJNMDlVWjNwT1JFNXJXa1JhYkUxNmFHMU5hbXhxVFdwUmQxcFVRVEJaYlVWM1QxUkNiRnBxWjNwTlYxazBUa1JSTlUxRVp6Qk9NazB3V2xSbmVWbHFhM2xOZWtwcVRucG9iRTlIUlhsT1ZHY3dUbXBPYVUxWFZURk9WMDEzV21wak1FNXFiRzFPZWsxM1RXcFpNVTFFUVRSYWJVVXlUbXBOZWxwcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUV2xNUVc5blNVTkJaMGxEUVdkSlEwRm5TVzVDYUdSSFoybFBhVUZwVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJZMjFXYzFwWFJucGFVelUxWWxkM2FVTnBRV2RKUTBGblNVTkJaMlpSYjJkSlEwRm5TVU5DT1V4QmIyZEpRMEZuU1VOQmFXRlhOVEJhV0VwMVdWZDRVVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2RKUTBwdVlWaFNiMlJYU1dsUGFVSTNRMmxCWjBsRFFXZEpRMEZuU1VOQmFWcFlXbXhpYmxKbVltMUdkRnBUU1RaSlEwcDNaRmhPYjBscGQwdEpRMEZuU1VOQlowbERRV2RKUTBwNVdsaENkbU15YkRCaU0wbzFXREpzYTBscWIyZEphbEUxVGxSVk0wNUVWVEZPVTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWFprTWpWc1kydzVjRnBEU1RaSlEwa3pUVlJCTlU1cVRURk5lVWxMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlNEQnpRMmxCWjBsRFFXZEpRMHA1V2xoT2RtSklXbXhhUlZKc1kwZFdkVnBIVm5WWk1teHNZM2xKTmtsR2MwdEpRMEZuU1VOQlowbERRamREYVVGblNVTkJaMGxEUVdkSlEwRnBaRmhLY0VscWIyZEpiV1J3WkVOMGIyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1NeWJHNWpNMUoyWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VGtGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVbHBkMHRKUTBGblNVTkJaMGxEUVdkSlEwcHJZVmRrYkdNelVXbFBhVUkzUTJsQlowbERRV2RKUTBGblNVTkJaMGxEU201aFdGSkVZakl4ZEdGWVVXbFBhVUZwVFdwYWEwMVVXVEZOVkUxNlQwUmFiVnB0Um1oT2VtdDNXV3BHYWsxNlNtMVBWRWt6VGxSUk1GcHFSWHBOYWtwc1RrUkZOVTVEU1V0SlEwRm5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlJqQkxTVU5CWjBsSU1ITkRhVUZuU1VOQmFXTnVWblZTUjFZd1dWZHNjMk41U1RaSlNITkxTVU5CWjBsRFFXZEpiVW94WVZkNGExcFlTV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzFzYTBscWIyZEpiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bG9XVE5TY0dJeU5YcE1NMG94WW0wMWJHTnBPVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJTV2R2WjBsRFFXZEpRMEk1VEVGdlowbERRV2RKUTBGcFlsZFdNRmxYVW1oa1IwVnBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHRiSFZrYlRscVdWaFNjR0l5TlVwYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBaZDAxVVVUQlBSR2N5VG1wWmRsbFlVakJhVnpGM1pFaE5kazFUU1V0SlEwRm5TVU5CWjJaUmIyZEpRMEZuWmxGdlowbElNRXRtVVc4OSIsInBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU1yUkVORFFYQXJaMEYzU1VKQlowbEZSVkpuWjBKRVFVdENaMmR4YUd0cVQxQlJVVVJCZWtGeVRWSkZkMFIzV1VSV1VWRkVSWGRvZW1GWFpIcGtSemw1V2xSRlYwMUNVVWRCTVZWRlEyaE5UbU15Ykc1ak0xSjJZMjFWZFdKWE9XcGhla0ZsUm5jd2VVMTZRWGxOUkVWM1RVUkJkMDFFUW1GR2R6QjVUWHBCZVUxRVJYZE5SRVYzVFVSQ1lVMUJRWGRYVkVGVVFtZGpjV2hyYWs5UVVVbENRbWRuY1docmFrOVFVVTFDUW5kT1EwRkJVVFZHYldwV1JpOXNMMEZIYUhVeFUxQXZTVzlGYlV0TVoxRjFSREY1UjFOUVFVeGxTWGR6T1d0bllVY3ZXaXNySzBseVFWbG5VMGxaWXpsU1ZrOTZlbE4xV20wd01HMTVNWFpSVFdFM01XOHJiRThyYWs5dk5FbENNbXBEUTBGa1dYZEVaMWxFVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOU1Vkc1FtZE9Wa2hTUlVKQlpqaEZaMXB2ZDJkYVpVZG5XbEp2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYwV1RJNWRWcHRPWGxpVjBaMVdUSlZkbHBZYURCamJWWjBXbGQ0TlV4WFVtaGliV1JzWTIwNU1XTjVNWGRrVjBwellWZE5kR0l5Ykd0WmVURnBXbGRHYW1JeU5IWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVdHZ3dZMjFXZEZwWGVEVk1WMUpvWW0xa2JHTnRPVEZqZVRGMllWZFNha3hYU214WlYwNTJZbWsxTldKWGVFRmpiVlp0WTNrNWIxcFhSbXRqZVRsMFdWZHNkVTFDTUVkQk1WVmtSR2RSVjBKQ1VqaDBhMHBQVEZrd2EyMXlTSFZtUkRKSWMxbHNTalprT0ROUlZFRm1RbWRPVmtoVFRVVkhSRUZYWjBKUkwwWkdlR3MzUmxWNGRDOXZSVGhzUkZwRlJqQnpOMnRoYzNWRVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSlFrTXdUVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QyZFphMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaWGRTTlVGSVkwRmtVVVF6U25OeGFsRlNaVFpyVjFaRmNucGpNRFpUUkU1VVJXdDFPVEY2YlVsdkwyTkNUemN2VEhvNGJqTlJRVUZCV1ZsTFVtVjNRVUZCUVVWQmQwSkhUVVZSUTBsRWRGWlVNMFZMTm5kSmJGWm5Xako1Y3pWMFZYQlVVVzFXVGtwMU1sWjRTVm8zYzFGUlZqVkJUMDFqUVdsQk5tdzNPR2wyUmtaWldEWkNOa3BUZVVGWGVVVllOMnhQTTI1VmJqQmFOVWxHWldzM1VXTnhiak5WVkVGTFFtZG5jV2hyYWs5UVVWRkVRWGRPU0VGRVFrVkJhVUpRWTNSWU1FcEtiVFZMVkVaYVJqRnNSa1YzZFhoaVpXMUJUM1ZPTWpCM1NuTTBXbmxJY1U0eGRHeDNTV2RWS3pOQ09VWnBkVUZoYkZOSGF5OXVPUzlKVkdWNlJVTndXbkZMTlVKWU1rdEhiRFZpYmxWemRXbEJQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09Iiwic2lnIjoiVFVWVlEwbFJSRUpKWmxSeFNHSmFOVXhLVkZJeWEwRlhMMGN4Y0dvM2JISjJVMUJtVVVabmF6VjZOSGRsWldaTVlsRkpaMWQwZERGS1JtUnhkM0J3UlhkaVNFUkxlRmRKTDNWMVQxVllaakJHYUZsTVkyd3dURTlIYVZOaGRsVTkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNGY5MWE4ZmM0NjEyZDRlYTVlYTg4ZTNmMjU0MDhjNGY4YjcxMWY0OTkwM2Y1NmRkMmZkMWVlZTM2MTZkMWVlOSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImViOWY3YjI0ODY0MTQ1Y2QzYjJkMTk5ZjJkMGY5NDgwMWI0NTY2MGNiODY2ZmQyZTkzZjJhMTFmYTBjMDZlYzAifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBbzADAgEAMIIBZgYJKoZIhvcNAQcCoIIBVzCCAVMCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQg8ipm2ef9jUd99t52A4cQk0BcBI4Kn+C08bXDz1JRyCgCAQEYDzIwMjMwMjAxMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZYwgZMCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERjBEAiAlvUPCQUnjz6QmtTF6waypKs4FEvLHmpLQecjArl5dYwIgAM9AZyIhZBVJLZPG6jm6druL6o0t4rky5ZQsrmrgwms="}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQDBIfTqHbZ5LJTR2kAW/G1pj7lrvSPfQFgk5z4weefLbQIgWtt1JFdqwppEwbHDKxWI/uuOUXf0FhYLcl0LOGiSavU=","keyid":""}]}} diff --git a/test/assets/d.stmt.json b/test/assets/d.stmt.json new file mode 100644 index 0000000..8ca8cb0 --- /dev/null +++ b/test/assets/d.stmt.json @@ -0,0 +1,47 @@ +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "pkg:npm/sigstore@2.1.0", + "digest": { + "sha512": "90f223f992e4c88dd068cd2a5fc57f9d2b30798343dd6e38f29c240e04ba090ef831f84490847c4e82b9232c78e8a258463b1e55c0f7469f730265008fa6633f" + } + } + ], + "predicateType": "https://slsa.dev/provenance/v1", + "predicate": { + "buildDefinition": { + "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1", + "externalParameters": { + "workflow": { + "ref": "refs/heads/main", + "repository": "https://github.com/sigstore/sigstore-js", + "path": ".github/workflows/release.yml" + } + }, + "internalParameters": { + "github": { + "event_name": "push", + "repository_id": "495574555", + "repository_owner_id": "71096353" + } + }, + "resolvedDependencies": [ + { + "uri": "git+https://github.com/sigstore/sigstore-js@refs/heads/main", + "digest": { + "gitCommit": "26d16513386ffaa790b1c32f927544f1322e4194" + } + } + ] + }, + "runDetails": { + "builder": { + "id": "https://github.com/actions/runner/github-hosted" + }, + "metadata": { + "invocationId": "https://github.com/sigstore/sigstore-js/actions/runs/6014488666/attempts/1" + } + } + } +} diff --git a/test/assets/d.stmt.no-inclusion-proof.sigstore b/test/assets/d.stmt.no-inclusion-proof.sigstore new file mode 100644 index 0000000..3b09ebc --- /dev/null +++ b/test/assets/d.stmt.no-inclusion-proof.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+DCCAp+gAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ5FmjVF/l/AGhu1SP/IoEmKLgQuD1yGSPALeIws9kgaG/Z+++IrAYgSIYc9RVOzzSuZm00my1vQMa71o+lO+jOo4IB2jCCAdYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBR8tkJOLY0kmrHufD2HsYlJ6d83QTAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYkGCisGAQQB1nkCBAIEewR5AHcAdQD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBGMEQCIDtVT3EK6wIlVgZ2ys5tUpTQmVNJu2VxIZ7sQQV5AOMcAiA6l78ivFFYX6B6JSyAWyEX7lO3nUn0Z5IFek7Qcqn3UTAKBggqhkjOPQQDAwNHADBEAiBPctX0JJm5KTFZF1lFEwuxbemAOuN20wJs4ZyHqN1tlwIgU+3B9FiuAalSGk/n9/ITezECpZqK5BX2KGl5bnUsuiA="}]},"tlogEntries":[{"logIndex":"5734592","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675209600","inclusionPromise":{"signedEntryTimestamp":"MEQCIEY2/WbuNZJoMI+nYGtrAPbUwINqoIomhg5Z4fBpjk1+AiAtl1EQH/VW6WxkqGyFpxNYUMVXBQl00DbkrroqeszSHw=="},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVdOSGRHNVBiVFYzWWxNNWVtRlhaSHBrUnpsNVdsVkJlVXhxUlhWTlEwbHpRMmxCWjBsRFFXZEpRMHByWVZka2JHTXpVV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzVPYjFsVVZYaE5hVWsyU1VOSk5VMUhXWGxOYWs1dFQxUnJlVnBVVW1wUFJHaHJXa1JCTWs5SFRtdE5iVVV4V20xTk1VNHlXVFZhUkVwcFRYcEJNMDlVWjNwT1JFNXJXa1JhYkUxNmFHMU5hbXhxVFdwUmQxcFVRVEJaYlVWM1QxUkNiRnBxWjNwTlYxazBUa1JSTlUxRVp6Qk9NazB3V2xSbmVWbHFhM2xOZWtwcVRucG9iRTlIUlhsT1ZHY3dUbXBPYVUxWFZURk9WMDEzV21wak1FNXFiRzFPZWsxM1RXcFpNVTFFUVRSYWJVVXlUbXBOZWxwcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUV2xNUVc5blNVTkJaMGxEUVdkSlEwRm5TVzVDYUdSSFoybFBhVUZwVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJZMjFXYzFwWFJucGFVelUxWWxkM2FVTnBRV2RKUTBGblNVTkJaMlpSYjJkSlEwRm5TVU5DT1V4QmIyZEpRMEZuU1VOQmFXRlhOVEJhV0VwMVdWZDRVVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2RKUTBwdVlWaFNiMlJYU1dsUGFVSTNRMmxCWjBsRFFXZEpRMEZuU1VOQmFWcFlXbXhpYmxKbVltMUdkRnBUU1RaSlEwcDNaRmhPYjBscGQwdEpRMEZuU1VOQlowbERRV2RKUTBwNVdsaENkbU15YkRCaU0wbzFXREpzYTBscWIyZEphbEUxVGxSVk0wNUVWVEZPVTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWFprTWpWc1kydzVjRnBEU1RaSlEwa3pUVlJCTlU1cVRURk5lVWxMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlNEQnpRMmxCWjBsRFFXZEpRMHA1V2xoT2RtSklXbXhhUlZKc1kwZFdkVnBIVm5WWk1teHNZM2xKTmtsR2MwdEpRMEZuU1VOQlowbERRamREYVVGblNVTkJaMGxEUVdkSlEwRnBaRmhLY0VscWIyZEpiV1J3WkVOMGIyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1NeWJHNWpNMUoyWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VGtGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVbHBkMHRKUTBGblNVTkJaMGxEUVdkSlEwcHJZVmRrYkdNelVXbFBhVUkzUTJsQlowbERRV2RKUTBGblNVTkJaMGxEU201aFdGSkVZakl4ZEdGWVVXbFBhVUZwVFdwYWEwMVVXVEZOVkUxNlQwUmFiVnB0Um1oT2VtdDNXV3BHYWsxNlNtMVBWRWt6VGxSUk1GcHFSWHBOYWtwc1RrUkZOVTVEU1V0SlEwRm5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlJqQkxTVU5CWjBsSU1ITkRhVUZuU1VOQmFXTnVWblZTUjFZd1dWZHNjMk41U1RaSlNITkxTVU5CWjBsRFFXZEpiVW94WVZkNGExcFlTV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzFzYTBscWIyZEpiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bG9XVE5TY0dJeU5YcE1NMG94WW0wMWJHTnBPVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJTV2R2WjBsRFFXZEpRMEk1VEVGdlowbERRV2RKUTBGcFlsZFdNRmxYVW1oa1IwVnBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHRiSFZrYlRscVdWaFNjR0l5TlVwYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBaZDAxVVVUQlBSR2N5VG1wWmRsbFlVakJhVnpGM1pFaE5kazFUU1V0SlEwRm5TVU5CWjJaUmIyZEpRMEZuWmxGdlowbElNRXRtVVc4OSIsInBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU1yUkVORFFYQXJaMEYzU1VKQlowbEZSVkpuWjBKRVFVdENaMmR4YUd0cVQxQlJVVVJCZWtGeVRWSkZkMFIzV1VSV1VWRkVSWGRvZW1GWFpIcGtSemw1V2xSRlYwMUNVVWRCTVZWRlEyaE5UbU15Ykc1ak0xSjJZMjFWZFdKWE9XcGhla0ZsUm5jd2VVMTZRWGxOUkVWM1RVUkJkMDFFUW1GR2R6QjVUWHBCZVUxRVJYZE5SRVYzVFVSQ1lVMUJRWGRYVkVGVVFtZGpjV2hyYWs5UVVVbENRbWRuY1docmFrOVFVVTFDUW5kT1EwRkJVVFZHYldwV1JpOXNMMEZIYUhVeFUxQXZTVzlGYlV0TVoxRjFSREY1UjFOUVFVeGxTWGR6T1d0bllVY3ZXaXNySzBseVFWbG5VMGxaWXpsU1ZrOTZlbE4xV20wd01HMTVNWFpSVFdFM01XOHJiRThyYWs5dk5FbENNbXBEUTBGa1dYZEVaMWxFVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOU1Vkc1FtZE9Wa2hTUlVKQlpqaEZaMXB2ZDJkYVpVZG5XbEp2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYwV1RJNWRWcHRPWGxpVjBaMVdUSlZkbHBZYURCamJWWjBXbGQ0TlV4WFVtaGliV1JzWTIwNU1XTjVNWGRrVjBwellWZE5kR0l5Ykd0WmVURnBXbGRHYW1JeU5IWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVdHZ3dZMjFXZEZwWGVEVk1WMUpvWW0xa2JHTnRPVEZqZVRGMllWZFNha3hYU214WlYwNTJZbWsxTldKWGVFRmpiVlp0WTNrNWIxcFhSbXRqZVRsMFdWZHNkVTFDTUVkQk1WVmtSR2RSVjBKQ1VqaDBhMHBQVEZrd2EyMXlTSFZtUkRKSWMxbHNTalprT0ROUlZFRm1RbWRPVmtoVFRVVkhSRUZYWjBKUkwwWkdlR3MzUmxWNGRDOXZSVGhzUkZwRlJqQnpOMnRoYzNWRVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSlFrTXdUVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QyZFphMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaWGRTTlVGSVkwRmtVVVF6U25OeGFsRlNaVFpyVjFaRmNucGpNRFpUUkU1VVJXdDFPVEY2YlVsdkwyTkNUemN2VEhvNGJqTlJRVUZCV1ZsTFVtVjNRVUZCUVVWQmQwSkhUVVZSUTBsRWRGWlVNMFZMTm5kSmJGWm5Xako1Y3pWMFZYQlVVVzFXVGtwMU1sWjRTVm8zYzFGUlZqVkJUMDFqUVdsQk5tdzNPR2wyUmtaWldEWkNOa3BUZVVGWGVVVllOMnhQTTI1VmJqQmFOVWxHWldzM1VXTnhiak5WVkVGTFFtZG5jV2hyYWs5UVVWRkVRWGRPU0VGRVFrVkJhVUpRWTNSWU1FcEtiVFZMVkVaYVJqRnNSa1YzZFhoaVpXMUJUM1ZPTWpCM1NuTTBXbmxJY1U0eGRHeDNTV2RWS3pOQ09VWnBkVUZoYkZOSGF5OXVPUzlKVkdWNlJVTndXbkZMTlVKWU1rdEhiRFZpYmxWemRXbEJQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09Iiwic2lnIjoiVFVWVlEwbFJSRUpKWmxSeFNHSmFOVXhLVkZJeWEwRlhMMGN4Y0dvM2JISjJVMUJtVVVabmF6VjZOSGRsWldaTVlsRkpaMWQwZERGS1JtUnhkM0J3UlhkaVNFUkxlRmRKTDNWMVQxVllaakJHYUZsTVkyd3dURTlIYVZOaGRsVTkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNGY5MWE4ZmM0NjEyZDRlYTVlYTg4ZTNmMjU0MDhjNGY4YjcxMWY0OTkwM2Y1NmRkMmZkMWVlZTM2MTZkMWVlOSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImViOWY3YjI0ODY0MTQ1Y2QzYjJkMTk5ZjJkMGY5NDgwMWI0NTY2MGNiODY2ZmQyZTkzZjJhMTFmYTBjMDZlYzAifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBbzADAgEAMIIBZgYJKoZIhvcNAQcCoIIBVzCCAVMCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQg8ipm2ef9jUd99t52A4cQk0BcBI4Kn+C08bXDz1JRyCgCAQEYDzIwMjMwMjAxMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZYwgZMCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERjBEAiAlvUPCQUnjz6QmtTF6waypKs4FEvLHmpLQecjArl5dYwIgAM9AZyIhZBVJLZPG6jm6druL6o0t4rky5ZQsrmrgwms="}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQDBIfTqHbZ5LJTR2kAW/G1pj7lrvSPfQFgk5z4weefLbQIgWtt1JFdqwppEwbHDKxWI/uuOUXf0FhYLcl0LOGiSavU=","keyid":""}]}} diff --git a/test/assets/d.stmt.tlog-body-error.sigstore b/test/assets/d.stmt.tlog-body-error.sigstore new file mode 100644 index 0000000..238511e --- /dev/null +++ b/test/assets/d.stmt.tlog-body-error.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+jCCAp+gAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDxcCMxFjuYHsiOevY1TrKWCWE31x1fkXEph18/DQI8OOQGJJOTohCOAy8qrpYNK7d0apaJY7qBsbcxoUEpiO+o4IB2jCCAdYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBTjrHKUy/V5bi142XBjB0GENlrkxDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYkGCisGAQQB1nkCBAIEewR5AHcAdQD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBGMEQCIC9C8hdUIzQc+vzQJU8SekqlnHQpmL6I4XoXJnUcANsrAiBytIcRWTezkGKwbcHV8P/7S41nahpIwMJ7UfkZr3ze+jAKBggqhkjOPQQDAwNJADBGAiEA343T8cVUDoTamfcNCUTDSxZFvmAw2S+cOa/zxhKWxSMCIQDNw9chdkJoTSTHbTmTrNYIVl/uibN02R9P8RiJnkwSlQ=="}]},"tlogEntries":[{"logIndex":"4294215","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675209600","inclusionPromise":{"signedEntryTimestamp":"MEUCIQCUZwLzdQirObJSkJMiTNmnb83lMUsDETXsHonL+p/+OgIgB4xXbuqiPM9mx+yFZxzcysXjOZf1SG8WD7S1DTlLYYs="},"inclusionProof":{"logIndex":"0","rootHash":"47Zm5mE71QV7VaaGz3RVFoyPvdr5Q5x0IkrIkSaEjVk=","treeSize":"1","hashes":[],"checkpoint":{"envelope":"localhost:8000 - 28579825976373\n1\n47Zm5mE71QV7VaaGz3RVFoyPvdr5Q5x0IkrIkSaEjVk=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBGAiEAneM0JK3EMeOkOtH3cvPdm0D5Fj5foP9ogcoQyf2BdNsCIQDKwfQu9D6kHKn6pxTGw9Y5DvzRCinRUyaJNwR1gTF93w==\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIn0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBcDADAgEAMIIBZwYJKoZIhvcNAQcCoIIBWDCCAVQCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQgIH1GI7tWteNt5ulrQ/2983zpbBQOCsQ+b8fYq2nMT1YCAQEYDzIwMjMwMjAxMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZcwgZQCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERzBFAiEAgaheTwHIZuDuOSfUbOaKVLNn5WojKa5XIlJje1cordYCIE7eA3RS+V5b9NyNzrH+hhnu78rMluXjNu1g/yEaOLLR"}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICnDXMRDpz9lTW/2Az9VlmyO97rJ1thBEJwAswt+KVP8AiA4RLactnz4s0Z3LZ7oFnxGrVEg9Pqyha3PaBWDB6MtsQ==","keyid":""}]}} diff --git a/test/assets/d.stmt.tlog-timestamp-error.sigstore b/test/assets/d.stmt.tlog-timestamp-error.sigstore new file mode 100644 index 0000000..0746b36 --- /dev/null +++ b/test/assets/d.stmt.tlog-timestamp-error.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+TCCAqCgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQvmIXRWwN4HDzcNvSDtA+Q2Wa14ZvrztpFPE7E+GVjNmJ0p6WRDQFbQ6VBMfV42VKjGQdS/1TtPJUbtBjqAslJo4IB2zCCAdcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBS7jPBmPuY1SIDf8BXYnh0Hs6YUYzAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYoGCisGAQQB1nkCBAIEfAR6AHgAdgD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBHMEUCIGxPWMqs4Fsmpu3e9KVLOEJyWO35qVxjvhB7to/B1CfIAiEA06hF3Flq+d/TmaUZ+vmQadVJyHMY4/pHQB0UPL/HRjwwCgYIKoZIzj0EAwMDRwAwRAIgdBEXkh67WUlTj82rAA775ZZ0ckSFpKFNWwP2ZYo9Ae8CICbzv+vj4z80hCA6Nmu+zh+hl/dVYBJimHsKjnoWn2xj"}]},"tlogEntries":[{"logIndex":"7552278","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675296000","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDVa2NOVCi6MQSOiM+W91nuoBkjCktGDGPXV73Zb++VdQIhALe5D6rhCGRnQtS2wrKIu2wUTCR1ts6IhQ+4q9AgUmjg"},"inclusionProof":{"logIndex":"0","rootHash":"yUqBMuvcR5gWB/XuwWMUNUWE6CiR1llGD0YNzAgurHM=","treeSize":"1","hashes":[],"checkpoint":{"envelope":"localhost:8000 - 68566659586529\n1\nyUqBMuvcR5gWB/XuwWMUNUWE6CiR1llGD0YNzAgurHM=\nTimestamp: 1675296000000000000\n\n— localhost:8000 9ybKozBFAiEA7LI5dxlJZ1zxUiPfU2jloWnSdZzf1lc+RqQfvW8rYRsCIA+C+GnlvUvc8Fas6dRCPp6NqoYjNnn2yoan/joL9vNw\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVdOSGRHNVBiVFYzWWxNNWVtRlhaSHBrUnpsNVdsVkJlVXhxUlhWTlEwbHpRMmxCWjBsRFFXZEpRMHByWVZka2JHTXpVV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzVPYjFsVVZYaE5hVWsyU1VOSk5VMUhXWGxOYWs1dFQxUnJlVnBVVW1wUFJHaHJXa1JCTWs5SFRtdE5iVVV4V20xTk1VNHlXVFZhUkVwcFRYcEJNMDlVWjNwT1JFNXJXa1JhYkUxNmFHMU5hbXhxVFdwUmQxcFVRVEJaYlVWM1QxUkNiRnBxWjNwTlYxazBUa1JSTlUxRVp6Qk9NazB3V2xSbmVWbHFhM2xOZWtwcVRucG9iRTlIUlhsT1ZHY3dUbXBPYVUxWFZURk9WMDEzV21wak1FNXFiRzFPZWsxM1RXcFpNVTFFUVRSYWJVVXlUbXBOZWxwcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUV2xNUVc5blNVTkJaMGxEUVdkSlEwRm5TVzVDYUdSSFoybFBhVUZwVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJZMjFXYzFwWFJucGFVelUxWWxkM2FVTnBRV2RKUTBGblNVTkJaMlpSYjJkSlEwRm5TVU5DT1V4QmIyZEpRMEZuU1VOQmFXRlhOVEJhV0VwMVdWZDRVVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2RKUTBwdVlWaFNiMlJYU1dsUGFVSTNRMmxCWjBsRFFXZEpRMEZuU1VOQmFWcFlXbXhpYmxKbVltMUdkRnBUU1RaSlEwcDNaRmhPYjBscGQwdEpRMEZuU1VOQlowbERRV2RKUTBwNVdsaENkbU15YkRCaU0wbzFXREpzYTBscWIyZEphbEUxVGxSVk0wNUVWVEZPVTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWFprTWpWc1kydzVjRnBEU1RaSlEwa3pUVlJCTlU1cVRURk5lVWxMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlNEQnpRMmxCWjBsRFFXZEpRMHA1V2xoT2RtSklXbXhhUlZKc1kwZFdkVnBIVm5WWk1teHNZM2xKTmtsR2MwdEpRMEZuU1VOQlowbERRamREYVVGblNVTkJaMGxEUVdkSlEwRnBaRmhLY0VscWIyZEpiV1J3WkVOMGIyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1NeWJHNWpNMUoyWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VGtGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVbHBkMHRKUTBGblNVTkJaMGxEUVdkSlEwcHJZVmRrYkdNelVXbFBhVUkzUTJsQlowbERRV2RKUTBGblNVTkJaMGxEU201aFdGSkVZakl4ZEdGWVVXbFBhVUZwVFdwYWEwMVVXVEZOVkUxNlQwUmFiVnB0Um1oT2VtdDNXV3BHYWsxNlNtMVBWRWt6VGxSUk1GcHFSWHBOYWtwc1RrUkZOVTVEU1V0SlEwRm5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlJqQkxTVU5CWjBsSU1ITkRhVUZuU1VOQmFXTnVWblZTUjFZd1dWZHNjMk41U1RaSlNITkxTVU5CWjBsRFFXZEpiVW94WVZkNGExcFlTV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzFzYTBscWIyZEpiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bG9XVE5TY0dJeU5YcE1NMG94WW0wMWJHTnBPVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJTV2R2WjBsRFFXZEpRMEk1VEVGdlowbERRV2RKUTBGcFlsZFdNRmxYVW1oa1IwVnBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHRiSFZrYlRscVdWaFNjR0l5TlVwYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBaZDAxVVVUQlBSR2N5VG1wWmRsbFlVakJhVnpGM1pFaE5kazFUU1V0SlEwRm5TVU5CWjJaUmIyZEpRMEZuWmxGdlowbElNRXRtVVc4OSIsInBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU1yVkVORFFYRkRaMEYzU1VKQlowbEZSVkpuWjBKRVFVdENaMmR4YUd0cVQxQlJVVVJCZWtGeVRWSkZkMFIzV1VSV1VWRkVSWGRvZW1GWFpIcGtSemw1V2xSRlYwMUNVVWRCTVZWRlEyaE5UbU15Ykc1ak0xSjJZMjFWZFdKWE9XcGhla0ZsUm5jd2VVMTZRWGxOUkVWM1RVUkJkMDFFUW1GR2R6QjVUWHBCZVUxRVJYZE5SRVYzVFVSQ1lVMUJRWGRYVkVGVVFtZGpjV2hyYWs5UVVVbENRbWRuY1docmFrOVFVVTFDUW5kT1EwRkJVWFp0U1ZoU1YzZE9ORWhFZW1OT2RsTkVkRUVyVVRKWFlURTBXblp5ZW5Sd1JsQkZOMFVyUjFacVRtMUtNSEEyVjFKRVVVWmlVVFpXUWsxbVZqUXlWa3RxUjFGa1V5OHhWSFJRU2xWaWRFSnFjVUZ6YkVwdk5FbENNbnBEUTBGa1kzZEVaMWxFVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOU1Vkc1FtZE9Wa2hTUlVKQlpqaEZaMXB2ZDJkYVpVZG5XbEp2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYwV1RJNWRWcHRPWGxpVjBaMVdUSlZkbHBZYURCamJWWjBXbGQ0TlV4WFVtaGliV1JzWTIwNU1XTjVNWGRrVjBwellWZE5kR0l5Ykd0WmVURnBXbGRHYW1JeU5IWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVdHZ3dZMjFXZEZwWGVEVk1WMUpvWW0xa2JHTnRPVEZqZVRGMllWZFNha3hYU214WlYwNTJZbWsxTldKWGVFRmpiVlp0WTNrNWIxcFhSbXRqZVRsMFdWZHNkVTFDTUVkQk1WVmtSR2RSVjBKQ1V6ZHFVRUp0VUhWWk1WTkpSR1k0UWxoWmJtZ3dTSE0yV1ZWWmVrRm1RbWRPVmtoVFRVVkhSRUZYWjBKUkwwWkdlR3MzUmxWNGRDOXZSVGhzUkZwRlJqQnpOMnRoYzNWRVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSlFrTXdUVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QyZFpiMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaa0ZTTmtGSVowRmtaMFF6U25OeGFsRlNaVFpyVjFaRmNucGpNRFpUUkU1VVJXdDFPVEY2YlVsdkwyTkNUemN2VEhvNGJqTlJRVUZCV1ZsTFVtVjNRVUZCUVVWQmQwSklUVVZWUTBsSGVGQlhUWEZ6TkVaemJYQjFNMlU1UzFaTVQwVktlVmRQTXpWeFZuaHFkbWhDTjNSdkwwSXhRMlpKUVdsRlFUQTJhRVl6Um14eEsyUXZWRzFoVlZvcmRtMVJZV1JXU25sSVRWazBMM0JJVVVJd1ZWQk1MMGhTYW5kM1EyZFpTVXR2V2tsNmFqQkZRWGROUkZKM1FYZFNRVWxuWkVKRldHdG9OamRYVld4VWFqZ3lja0ZCTnpjMVdsb3dZMnRUUm5CTFJrNVhkMUF5V2xsdk9VRmxPRU5KUTJKNmRpdDJhalI2T0RCb1EwRTJUbTExSzNwb0syaHNMMlJXV1VKS2FXMUljMHRxYm05WGJqSjRhZ290TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09Iiwic2lnIjoiVFVWUlEwbERiekpWV0RkNE1TdHpOVkJLVUVkWE0xVlBOU3Q2Y1RRd1prcHdOVVJuUVZOQkwzUlBaelY0TWpOQ1FXbEJRbFpIYkVVME56SjRORWwwY0hKVE1EZGlZVUpzUkhadWJtdFFaMjVZZWtadVVWb3pUVFV6UlRkcFFUMDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYTE1YWM4MjQ1NTM0ZTRmOTczNWE0YTNlYzhkZTNiNjg0ZGU4YmI0ZmVlYmZkYzViYTUxYzNhYjFlNDU4YTJiNSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImViOWY3YjI0ODY0MTQ1Y2QzYjJkMTk5ZjJkMGY5NDgwMWI0NTY2MGNiODY2ZmQyZTkzZjJhMTFmYTBjMDZlYzAifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBcTADAgEAMIIBaAYJKoZIhvcNAQcCoIIBWTCCAVUCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQgA78olTdeOZaXoCvFMO91aVpZeNca8fwOmzdPkd4blfsCAQEYDzIwMjMwMjAxMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZgwgZUCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIESDBGAiEAtbBDFg2+84NlgamVkI7Y1EI0Y+pqHIQTABs8y+jbM/ECIQC8MVSmRz4sh03HLFfu/KhQYNAQbIjLsQ6Kk8i9rXSPqw=="}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICo2UX7x1+s5PJPGW3UO5+zq40fJp5DgASA/tOg5x23BAiABVGlE472x4ItprS07baBlDvnnkPgnXzFnQZ3M53E7iA==","keyid":""}]}} diff --git a/test/assets/d.stmt.tsa-timestamp-error.sigstore b/test/assets/d.stmt.tsa-timestamp-error.sigstore new file mode 100644 index 0000000..b2b22bf --- /dev/null +++ b/test/assets/d.stmt.tsa-timestamp-error.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC+DCCAp+gAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARdCrycbaHn2s5zreahOt2C0GpWOl5H4tkZSPwRV/5w8IJNM8q5+3SC18x/7I7qt2B2X49hlMUg7t6US2BZ7LWQo4IB2jCCAdYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBRbDzVM27beFgUHjFI0J18WQ/ki5jAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wgYkGCisGAQQB1nkCBAIEewR5AHcAdQD3JsqjQRe6kWVErzc06SDNTEku91zmIo/cBO7/Lz8n3QAAAYYKRewAAAAEAwBGMEQCIDsf6GRTAvisr5xjJRCHVTBr2VPnBNECnR2nzmBF0TJfAiA6rG53fl3f9c7j1CtjdVMItXtNvqOGg7D+fgXL+xf5CzAKBggqhkjOPQQDAwNHADBEAiBz7zF7BTSZXJLuAoKavaoJF8nFtGfvGckMp/lMzgPLTQIgK35U7BUu/AmZsqDHOBmmoxbfJqpcjoLajpGNqJDYZXk="}]},"tlogEntries":[{"logIndex":"3010268","logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1675209600","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDPWTm/oZ4KdJTqBj2Wm0GpOpn1ZO5237WanUZnuLT7tgIhAPOqVaxzcn3nRJ2qTuRqlQ1s8+T2dq88LBBVa4gXUZld"},"inclusionProof":{"logIndex":"0","rootHash":"LVlnMEIuow4IOZBZ+cZ6jnJdwsvfTu2ukLVhi3H7LHY=","treeSize":"1","hashes":[],"checkpoint":{"envelope":"localhost:8000 - 13576215840874\n1\nLVlnMEIuow4IOZBZ+cZ6jnJdwsvfTu2ukLVhi3H7LHY=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBFAiANxS6Cgek4WT/9hru3MFVASsUxMLaypp7cWmNswXM94AIhAMVE2kvYsR3RDcpHwZm6LSqwAIM/++wmVldEcb6xTgEL\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVdOSGRHNVBiVFYzWWxNNWVtRlhaSHBrUnpsNVdsVkJlVXhxUlhWTlEwbHpRMmxCWjBsRFFXZEpRMHByWVZka2JHTXpVV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzVPYjFsVVZYaE5hVWsyU1VOSk5VMUhXWGxOYWs1dFQxUnJlVnBVVW1wUFJHaHJXa1JCTWs5SFRtdE5iVVV4V20xTk1VNHlXVFZhUkVwcFRYcEJNMDlVWjNwT1JFNXJXa1JhYkUxNmFHMU5hbXhxVFdwUmQxcFVRVEJaYlVWM1QxUkNiRnBxWjNwTlYxazBUa1JSTlUxRVp6Qk9NazB3V2xSbmVWbHFhM2xOZWtwcVRucG9iRTlIUlhsT1ZHY3dUbXBPYVUxWFZURk9WMDEzV21wak1FNXFiRzFPZWsxM1RXcFpNVTFFUVRSYWJVVXlUbXBOZWxwcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUV2xNUVc5blNVTkJaMGxEUVdkSlEwRm5TVzVDYUdSSFoybFBhVUZwVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJZMjFXYzFwWFJucGFVelUxWWxkM2FVTnBRV2RKUTBGblNVTkJaMlpSYjJkSlEwRm5TVU5DT1V4QmIyZEpRMEZuU1VOQmFXRlhOVEJhV0VwMVdWZDRVVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2RKUTBwdVlWaFNiMlJYU1dsUGFVSTNRMmxCWjBsRFFXZEpRMEZuU1VOQmFWcFlXbXhpYmxKbVltMUdkRnBUU1RaSlEwcDNaRmhPYjBscGQwdEpRMEZuU1VOQlowbERRV2RKUTBwNVdsaENkbU15YkRCaU0wbzFXREpzYTBscWIyZEphbEUxVGxSVk0wNUVWVEZPVTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWFprTWpWc1kydzVjRnBEU1RaSlEwa3pUVlJCTlU1cVRURk5lVWxMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlNEQnpRMmxCWjBsRFFXZEpRMHA1V2xoT2RtSklXbXhhUlZKc1kwZFdkVnBIVm5WWk1teHNZM2xKTmtsR2MwdEpRMEZuU1VOQlowbERRamREYVVGblNVTkJaMGxEUVdkSlEwRnBaRmhLY0VscWIyZEpiV1J3WkVOMGIyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1NeWJHNWpNMUoyWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VGtGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVbHBkMHRKUTBGblNVTkJaMGxEUVdkSlEwcHJZVmRrYkdNelVXbFBhVUkzUTJsQlowbERRV2RKUTBGblNVTkJaMGxEU201aFdGSkVZakl4ZEdGWVVXbFBhVUZwVFdwYWEwMVVXVEZOVkUxNlQwUmFiVnB0Um1oT2VtdDNXV3BHYWsxNlNtMVBWRWt6VGxSUk1GcHFSWHBOYWtwc1RrUkZOVTVEU1V0SlEwRm5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RKUTBJNVEybEJaMGxEUVdkSlJqQkxTVU5CWjBsSU1ITkRhVUZuU1VOQmFXTnVWblZTUjFZd1dWZHNjMk41U1RaSlNITkxTVU5CWjBsRFFXZEpiVW94WVZkNGExcFlTV2xQYVVJM1EybEJaMGxEUVdkSlEwRm5TVzFzYTBscWIyZEpiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bG9XVE5TY0dJeU5YcE1NMG94WW0wMWJHTnBPVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJTV2R2WjBsRFFXZEpRMEk1VEVGdlowbERRV2RKUTBGcFlsZFdNRmxYVW1oa1IwVnBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHRiSFZrYlRscVdWaFNjR0l5TlVwYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRHRnVUWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBaZDAxVVVUQlBSR2N5VG1wWmRsbFlVakJhVnpGM1pFaE5kazFUU1V0SlEwRm5TVU5CWjJaUmIyZEpRMEZuWmxGdlowbElNRXRtVVc4OSIsInBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU1yUkVORFFYQXJaMEYzU1VKQlowbEZSVkpuWjBKRVFVdENaMmR4YUd0cVQxQlJVVVJCZWtGeVRWSkZkMFIzV1VSV1VWRkVSWGRvZW1GWFpIcGtSemw1V2xSRlYwMUNVVWRCTVZWRlEyaE5UbU15Ykc1ak0xSjJZMjFWZFdKWE9XcGhla0ZsUm5jd2VVMTZRWGxOUkVWM1RVUkJkMDFFUW1GR2R6QjVUWHBCZVUxRVJYZE5SRVYzVFVSQ1lVMUJRWGRYVkVGVVFtZGpjV2hyYWs5UVVVbENRbWRuY1docmFrOVFVVTFDUW5kT1EwRkJVbVJEY25salltRkliakp6TlhweVpXRm9UM1F5UXpCSGNGZFBiRFZJTkhScldsTlFkMUpXTHpWM09FbEtUazA0Y1RVck0xTkRNVGg0THpkSk4zRjBNa0l5V0RRNWFHeE5WV2MzZERaVlV6SkNXamRNVjFGdk5FbENNbXBEUTBGa1dYZEVaMWxFVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOU1Vkc1FtZE9Wa2hTUlVKQlpqaEZaMXB2ZDJkYVpVZG5XbEp2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYwV1RJNWRWcHRPWGxpVjBaMVdUSlZkbHBZYURCamJWWjBXbGQ0TlV4WFVtaGliV1JzWTIwNU1XTjVNWGRrVjBwellWZE5kR0l5Ykd0WmVURnBXbGRHYW1JeU5IWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVdHZ3dZMjFXZEZwWGVEVk1WMUpvWW0xa2JHTnRPVEZqZVRGMllWZFNha3hYU214WlYwNTJZbWsxTldKWGVFRmpiVlp0WTNrNWIxcFhSbXRqZVRsMFdWZHNkVTFDTUVkQk1WVmtSR2RSVjBKQ1VtSkVlbFpOTWpkaVpVWm5WVWhxUmtrd1NqRTRWMUV2YTJrMWFrRm1RbWRPVmtoVFRVVkhSRUZYWjBKUkwwWkdlR3MzUmxWNGRDOXZSVGhzUkZwRlJqQnpOMnRoYzNWRVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSlFrTXdUVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QyZFphMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaWGRTTlVGSVkwRmtVVVF6U25OeGFsRlNaVFpyVjFaRmNucGpNRFpUUkU1VVJXdDFPVEY2YlVsdkwyTkNUemN2VEhvNGJqTlJRVUZCV1ZsTFVtVjNRVUZCUVVWQmQwSkhUVVZSUTBsRWMyWTJSMUpVUVhacGMzSTFlR3BLVWtOSVZsUkNjakpXVUc1Q1RrVkRibEl5Ym5wdFFrWXdWRXBtUVdsQk5uSkhOVE5tYkRObU9XTTNhakZEZEdwa1ZrMUpkRmgwVG5aeFQwZG5OMFFyWm1kWVRDdDRaalZEZWtGTFFtZG5jV2hyYWs5UVVWRkVRWGRPU0VGRVFrVkJhVUo2TjNwR04wSlVVMXBZU2t4MVFXOUxZWFpoYjBwR09HNUdkRWRtZGtkamEwMXdMMnhOZW1kUVRGUlJTV2RMTXpWVk4wSlZkUzlCYlZwemNVUklUMEp0Ylc5NFltWktjWEJqYW05TVlXcHdSMDV4U2tSWldsaHJQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09Iiwic2lnIjoiVFVWVlEwbERLMkppUXpsME1EaHBiMnQyYUZNNVdrVmxkbXhOV1hkYWEwOVNUMWQzYlcxUFpWRjVlbXh6YVVaelFXbEZRVFV4TDJaQlJGVXZhR1JDYXpGeFJYQmlTMlZVVEdkRWFrRlVabTgzYUZobGIzcHVVaThyT0ZCcFZWRTkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiOThjYzU4NmE0OGFmYWI0MTg1MzhlOGEyNTI4NGZhODY3MmU0MDdmZWEwZjgzNGMwMWQ0MjgxMGNmYjQzYWU4MiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImViOWY3YjI0ODY0MTQ1Y2QzYjJkMTk5ZjJkMGY5NDgwMWI0NTY2MGNiODY2ZmQyZTkzZjJhMTFmYTBjMDZlYzAifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIBcDADAgEAMIIBZwYJKoZIhvcNAQcCoIIBWDCCAVQCAQMxDzANBglghkgBZQMEAgEFADCBoQYLKoZIhvcNAQkQAQSggZEkgY4EgYswgYgCAQEGCSsGAQQBg78wAjAvMAsGCWCGSAFlAwQCAQQgWm4jxNpUAOV5nAU7iu+T5VbrgBex5lRvMQrVHdsECUsCAQEYDzIwMjMwMjAyMDAwMDAwWjADAgEBAgRJlgLSoCikJjAkMSIwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMAoGA1UEAxMDdHNhoAAxgZcwgZQCAQEwKzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2sCAQEwDQYJYIZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERzBFAiEAljEKXqqL5rIbtmg3HXA/3jZvB+OIcyLdTR/yYE9KNxQCICPj6VCfozvX62hi+w5/FCQLcbaR7ld2aRbT+UAXoqfQ"}]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsCiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTUxMiI6ICI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwiCiAgICAgICAgfQogICAgICB9LAogICAgICAiaW50ZXJuYWxQYXJhbWV0ZXJzIjogewogICAgICAgICJnaXRodWIiOiB7CiAgICAgICAgICAiZXZlbnRfbmFtZSI6ICJwdXNoIiwKICAgICAgICAgICJyZXBvc2l0b3J5X2lkIjogIjQ5NTU3NDU1NSIsCiAgICAgICAgICAicmVwb3NpdG9yeV9vd25lcl9pZCI6ICI3MTA5NjM1MyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXNvbHZlZERlcGVuZGVuY2llcyI6IFsKICAgICAgICB7CiAgICAgICAgICAidXJpIjogImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanNAcmVmcy9oZWFkcy9tYWluIiwKICAgICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAgICJnaXRDb21taXQiOiAiMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NCIKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIF0KICAgIH0sCiAgICAicnVuRGV0YWlscyI6IHsKICAgICAgImJ1aWxkZXIiOiB7CiAgICAgICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIgogICAgICB9LAogICAgICAibWV0YWRhdGEiOiB7CiAgICAgICAgImludm9jYXRpb25JZCI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMSIKICAgICAgfQogICAgfQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIC+bbC9t08iokvhS9ZEevlMYwZkOROWwmmOeQyzlsiFsAiEA51/fADU/hdBk1qEpbKeTLgDjATfo7hXeoznR/+8PiUQ=","keyid":""}]}} diff --git a/test/assets/trusted_root.d.json b/test/assets/trusted_root.d.json new file mode 100644 index 0000000..4f58d06 --- /dev/null +++ b/test/assets/trusted_root.d.json @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.trustedroot+json;version=0.1","tlogs":[{"baseUrl":"http://localhost:8000","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYI4heOTrNrZO27elFE8ynfrdPMikttRkbe+vJKQ50G6bfwQ3WyhLpRwwwohelDAm8xRzJ56nYsIa3VHivVvpmA==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2023-01-01T00:00:00.000Z"}},"logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="}}],"certificateAuthorities":[{"subject":{"organization":"sigstore.mock","commonName":"sigstore"},"uri":"http://localhost:8000","certChain":{"certificates":[{"rawBytes":"MIIBqDCCAU6gAwIBAgIBATAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAxMDEwMDAwMDBaFw0yNDAxMDEwMDAwMDBaMCsxETAPBgNVBAMTCHNpZ3N0b3JlMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYI4heOTrNrZO27elFE8ynfrdPMikttRkbe+vJKQ50G6bfwQ3WyhLpRwwwohelDAm8xRzJ56nYsIa3VHivVvpmKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFD8UXGTsVTG3+gTyUNkQXSzuRqy4MB8GA1UdIwQYMBaAFD8UXGTsVTG3+gTyUNkQXSzuRqy4MAoGCCqGSM49BAMDA0gAMEUCIEG2WqFq6nXZAZr6HOhVPVM2qM98KMZ++AO2pY+ECNlhAiEAqMOYtWz1IBkB+9yZTsi3H1wcoh/cdgfct7CsITTEK+s="}]},"validFor":{"start":"2023-01-01T00:00:00.000Z"}}],"ctlogs":[{"baseUrl":"http://localhost:8000","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYI4heOTrNrZO27elFE8ynfrdPMikttRkbe+vJKQ50G6bfwQ3WyhLpRwwwohelDAm8xRzJ56nYsIa3VHivVvpmA==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2023-01-01T00:00:00.000Z"}},"logId":{"keyId":"9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="}}],"timestampAuthorities":[{"subject":{"organization":"sigstore.mock","commonName":"sigstore"},"uri":"http://localhost:8000","certChain":{"certificates":[{"rawBytes":"MIIBnjCCAUSgAwIBAgIBATAKBggqhkjOPQQDAzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2swHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2swWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARgjiF45Os2tk7bt6UUTzKd+t08yKS21GRt768kpDnQbpt/BDdbKEulHDDCiF6UMCbzFHMnnqdiwhrdUeK9W+mYo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUPxRcZOxVMbf6BPJQ2RBdLO5GrLgwHwYDVR0jBBgwFoAUPxRcZOxVMbf6BPJQ2RBdLO5GrLgwCgYIKoZIzj0EAwMDSAAwRQIgdL3iJSs1u5W9NH2GLHWBHvLEYPrtANa8CFP3qRZ636MCIQClEWkW9QWB/fcKutWzRPfYnsOtcmE6lL082hl07V3/Zw=="}]},"validFor":{"start":"2023-01-01T00:00:00.000Z"}}]} diff --git a/test/test_bundle.py b/test/test_bundle.py index 42a28fa..8a52f6e 100644 --- a/test/test_bundle.py +++ b/test/test_bundle.py @@ -19,6 +19,18 @@ def test_verify(client: SigstoreClient, make_materials_by_type: _MakeMaterialsBy client.verify(materials, input_path) +def test_verify_dsse_bundle_with_trust_root(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Test the happy path of verification for DSSE bundle w/ custom trust root + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.good.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + client.verify(materials, input_path) + + def test_verify_rejects_root( client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType ) -> None: @@ -156,3 +168,74 @@ def test_verify_rejects_different_materials( with client.raises(): client.verify(materials, input_path) + + +def test_verify_rejects_expired_certificate(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Check that the client rejects a bundle if the certificate was issued + outside the validity window of the trusted root + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.cert-expired.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + with client.raises(): + client.verify(materials, input_path) + + +def test_verify_rejects_missing_inclusion_proof(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Check that the client rejects a v0.2 bundle if the TLog entry does NOT + contain an inclusion proof + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.no-inclusion-proof.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + with client.raises(): + client.verify(materials, input_path) + + +def test_verify_rejects_bad_tlog_timestamp(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Check that the client rejects a bundle if the TLog entry contains a + timestamp that falls outside the validity window of the signing + certificate. + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.tlog-timestamp-error.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + with client.raises(): + client.verify(materials, input_path) + + +def test_verify_rejects_bad_tlog_entry(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Check that the client rejects a bundle if the body of the TLog entry does + not match the signed artifact. + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.tlog-body-error.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + with client.raises(): + client.verify(materials, input_path) + + +def test_verify_rejects_bad_tsa_timestamp(client: SigstoreClient, make_materials_by_type: _MakeMaterialsByType) -> None: + """ + Check that the client rejects a bundle if the TSA timestamp falls outside + the validity window of the signing certificate. + """ + materials: BundleMaterials + input_path, materials = make_materials_by_type("d.stmt.json", BundleMaterials) + materials.bundle = Path("d.stmt.tsa-timestamp-error.sigstore") + materials.trusted_root = Path("trusted_root.d.json") + + with client.raises(): + client.verify(materials, input_path)