Skip to content

Handle missing nonce on RFC 3161 timestamp#305

Open
haines wants to merge 2 commits into
sigstore:mainfrom
haines:rfc-3161-nonce-is-optional
Open

Handle missing nonce on RFC 3161 timestamp#305
haines wants to merge 2 commits into
sigstore:mainfrom
haines:rfc-3161-nonce-is-optional

Conversation

@haines
Copy link
Copy Markdown

@haines haines commented Mar 30, 2026

Summary

Fixes #304

RFC 3161 timestamps have an optional nonce, but verification fails if this is absent.

Can't convert nil into Integer

    req.nonce = resp.token_info.nonce
                ^^^^^^^^^^^^^^^^^^^^^
    ~/.gem/ruby/4.0.2/gems/sigstore-0.2.3/lib/sigstore/verifier.rb:389:in 'OpenSSL::Timestamp::Request#nonce='
    ~/.gem/ruby/4.0.2/gems/sigstore-0.2.3/lib/sigstore/verifier.rb:389:in 'block in Sigstore::Verifier#extract_timestamp_from_verification_data'

This PR prevents the error by guarding the assignment of nonce in the OpenSSL::Timestamp::Request with a check that it isn't nil.

Release Note

Fix verification of RFC 3161 timestamps without nonces.

Documentation

No

@haines
Handle missing nonce on RFC 3161 timestamp
698d350 
Signed-off-by: Andrew Haines <andrew@haines.org.nz>
@haines
Copy link
Copy Markdown
Author

haines commented May 19, 2026

@Hayden-IO could you please take a look?

@Hayden-IO Hayden-IO requested a review from segiddins May 19, 2026 16:10
Hayden-IO
Hayden-IO previously approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Hayden-IO Hayden-IO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks correct to me, added a sigstore-ruby maintainer to take a look

segiddins
segiddins previously approved these changes May 23, 2026
View reviewed changes
@segiddins
Copy link
Copy Markdown
Member

segiddins commented May 23, 2026

I dont know why I'm not able to kick off the GHA workflows... additionally, it would be awesome if you were able to add a test that covers this

@haines
Add test
9ccacd4 
Signed-off-by: Andrew Haines <andrew@haines.org.nz>
@haines haines dismissed stale reviews from segiddins and Hayden-IO via 9ccacd4 May 25, 2026 12:13
@haines
Copy link
Copy Markdown
Author

haines commented May 25, 2026

@segiddins I've added a test that fails without this change, using the signed timestamp from #304.

@haines haines requested a review from segiddins May 26, 2026 14:27
@segiddins segiddins enabled auto-merge (squash) June 3, 2026 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hayden-IO Hayden-IO Hayden-IO left review comments

@segiddins segiddins Awaiting requested review from segiddins

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can't verify without nonce in RFC 3161 timestamp

3 participants

@haines @segiddins @Hayden-IO