Skip to content

fix(attestation): decode DSSE signature at bundle source#3060

Merged
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:fix/attestation-signature-source-and-test-helper
Apr 20, 2026
Merged

fix(attestation): decode DSSE signature at bundle source#3060
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:fix/attestation-signature-source-and-test-helper

Conversation

@migmartri

Copy link
Copy Markdown
Member

Summary

Follow-up to #3056 addressing review comments.

  • Fixes the double-base64 signature bug at its source by decoding the DSSE signature inside BundleFromDSSEEnvelope, so new Sigstore bundles are correct by construction. This was the cleanup the original TODO tracked against the removal of AttestationServiceStoreRequest.Bundle.
  • Drops the defensive FixSignatureInBundle call from the CLI push path; it is retained in the verifier to continue handling attestations stored before the fix, and its godoc is updated to reflect that.
  • Promotes the envelope-to-bundle test helper from workflowrun_integration_test.go to app/controlplane/pkg/biz/testhelpers so other biz integration tests can reuse it.

Related to #3055

Move the double-base64 fix into BundleFromDSSEEnvelope so new Sigstore
bundles carry a properly decoded signature by construction. FixSignatureInBundle
is retained in the verifier for backward compatibility with attestations stored
before the fix. Promote the envelope-to-bundle test helper to the shared
testhelpers package so other biz integration tests can reuse it.

Follow-up to chainloop-dev#3055.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri requested a review from jiparis April 18, 2026 10:12
- Guard BundleFromDSSEEnvelope against empty DSSE Signatures slice.
- Trim narrative comment on BundleBytesFromEnvelope testhelper.
- Deduplicate attestations_test.go with a shared test envelope helper; add
  explicit no-signatures and no-op cases.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

@migmartri migmartri merged commit 81e188c into chainloop-dev:main Apr 20, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants