Skip to content

fix(verifier): return typed errors from timestamp verification#3038

Merged
jiparis merged 2 commits into
chainloop-dev:mainfrom
jiparis:fix/typed-timestamp-verification-errors
Apr 16, 2026
Merged

fix(verifier): return typed errors from timestamp verification#3038
jiparis merged 2 commits into
chainloop-dev:mainfrom
jiparis:fix/typed-timestamp-verification-errors

Conversation

@jiparis

@jiparis jiparis commented Apr 16, 2026

Copy link
Copy Markdown
Member

Improve control plane error reporting when TSA verification fails.

Closes #3039

Summary

  • Replace opaque "some timestamps verification failed" with typed sentinel errors (ErrTSAResponseInvalid, ErrTimestampOutsideTSAValidity, ErrSigningCertNotValidAtTimestamp, ErrNoTSARootsConfigured) so callers and Sentry can identify the exact failure mode via errors.Is
  • Return early on first failed timestamp instead of accumulating counts
  • Hoist sb.VerificationContent() out of the per-TSA inner loop (pre-existing inefficiency)

Replace the opaque "some timestamps verification failed" message with
typed sentinel errors so callers (and Sentry) can identify the exact
failure mode without string matching:

- ErrTSAResponseInvalid — RFC3161 response rejected by TSA chain
- ErrTimestampOutsideTSAValidity — timestamp outside cert validity window
- ErrSigningCertNotValidAtTimestamp — signing cert not valid at timestamp time
- ErrNoTSARootsConfigured — bundle has timestamps but server has no TSA roots

Also hoists sb.VerificationContent() out of the per-TSA inner loop
(pre-existing inefficiency) and returns early on the first failed
timestamp instead of accumulating counts.

Relates to CONTROL-PLANE-5V

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested a review from a team April 16, 2026 08:08
@jiparis jiparis merged commit 80dea40 into chainloop-dev:main Apr 16, 2026
18 of 19 checks passed
@jiparis jiparis deleted the fix/typed-timestamp-verification-errors branch April 16, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

TSA verification failures are not descriptive

2 participants