fix: fail closed on unverifiable signatures, format downgrades, http URIs, stale records#7
Merged
Merged
Conversation
…URIs, stale records Security fixes for four fail-open paths: - TR-SIG: plain trace records carried no verifiable signature yet were reported PASS + SKIP, so `verify --level 2` passed for unsigned JSON. TR-SIG now FAILs at level >= 1 and emits a distinct UNVERIFIED status (never PASS-only) at level 0. CLI treats UNVERIFIED as failure at level >= 1 and surfaces it in the result line at level 0. - loader: format detection keyed off presence of gateway+trace, so stripping `gateway` downgraded a cmcp envelope to the weaker plain trace path. Detection now uses the positive `cmcp_version` marker and rejects partial cmcp envelopes outright. - TR-ANC / TR-RTE: http:// URIs were accepted where the failure messages demanded https. Now https only. - TR-ENV: iat freshness had no upper bound, so any historical record passed forever. Added configurable max-age (default 24h) and a `--max-age` CLI option. Adds unit tests for all four fixes plus end-to-end CLI regression tests proving unsigned records can no longer pass level 1/2. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes four fail-open paths found in a security review:
trace-format records carried no verifiable signature yet TR-SIG emitted PASS ("key type is supported") plus SKIP, and the CLI counted skips as non-failures, sotrace-tests verify --level 2passed for completely unsigned JSON. TR-SIG now fails closed: FAIL at any level >= 1, and a distinctUNVERIFIEDstatus (never PASS-only) at level 0. The CLI treats UNVERIFIED as failure at level >= 1 (defense in depth) and surfaces "record is NOT cryptographically verified" in the level 0 result line.cmcp-runtimeonly when bothgatewayandtracekeys were present, so strippinggatewaydowngraded a cmcp envelope to the weaker plain-trace path. Detection now keys off the positivecmcp_versionmarker, rejects partial cmcp envelopes (trace/gateway/signaturewithoutcmcp_version) with a LoadError, and the chosen format remains visible in the report header.transparencyand TR-RTErim_urinow accept https only, matching their failure messages.iatsince Nov 2023. Added a configurable max-age (default 24h) with a clear staleness failure and a--max-ageCLI option.Tests
tests/unit/test_loader.py(downgrade resistance),tests/unit/test_cli.py(end-to-end regression: unsigned record fails level 1/2, partial envelope rejected, stale record fails),tests/unit/test_tr_anc.py.🤖 Generated with Claude Code