Skip to content

security: verify_record API, real example JWK keys, transparency constraint#51

Merged
imran-siddique merged 2 commits into
mainfrom
security/remaining-fixes
Jun 19, 2026
Merged

security: verify_record API, real example JWK keys, transparency constraint#51
imran-siddique merged 2 commits into
mainfrom
security/remaining-fixes

Conversation

@imran-siddique

@imran-siddique imran-siddique commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Three remaining security items from pre-launch review:

  • verify_record(): adds Ed25519 signature verification to the SDK. Previously sign_record() had no corresponding verify function, making it easy for callers to skip signature verification entirely. Raises InvalidSignature on tamper, ValueError on missing signature or key. Exported from package root.
  • Example JWK coordinates: replaced fake ASCII-decodable placeholder values in examples/intel-tdx.json, examples/amd-sev-snp.json, examples/nvidia-h100.json with real P-256 throwaway coordinates. The old values decoded to strings like 'TDXVerificationKey' rather than actual key material.
  • transparency min_length: empty string is now rejected. Updated test fixture to use a real example Rekor URI first.

Test plan

  • CI passes
  • verify_record tests cover: valid sig passes, tampered record raises, missing sig raises

🤖 Generated with Claude Code

imran-siddique and others added 2 commits June 18, 2026 21:46
@imran-siddique @claude
security: add verify_record, fix example JWK coords, constrain transp…
68aab7a 
…arency

- add verify_record() to sign.py: verifies Ed25519 signature against
  cnf.jwk or an explicit public key; raises InvalidSignature on tamper,
  ValueError on missing signature or key
- export verify_record from package root alongside sign_record
- add three tests: valid sig passes, tampered record raises, missing sig raises
- replace fake ASCII JWK coordinates in examples/ with real P-256 throwaway keys
- update transparency test fixture from empty string to example Rekor URI
- add min_length=1 to transparency field (empty string is now rejected)

Signed-off-by: Imran Siddique <imran.siddique@opaque.co>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@imran-siddique
fix: use InvalidSignature instead of bare Exception in pytest.raises
17d0881 
Ruff B017 forbids asserting on bare Exception. Use the specific
cryptography.exceptions.InvalidSignature type that verify_record raises.

Signed-off-by: Imran Siddique <imran.siddique@opaque.co>
@imran-siddique imran-siddique merged commit b9fb804 into main Jun 19, 2026
3 checks passed
@imran-siddique imran-siddique deleted the security/remaining-fixes branch June 19, 2026 05:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@imran-siddique